Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

One of the most common threats to website security is stealing user accounts. To compromise an account, attackers use a simple method, which tries to guess the password for that account, either by combining different characters, or by selecting passwords from a dictionary.

This threat can be easily eliminated by introducing a limit of invalid logon attempts, which means that users will have their account locked after entering an incorrect password for the specified number of times.

To display a friendly message (as you can see on the picture above) to the users, check the Display account lock information message option in Site Manager -> Settings -> Security & Membership -> Protection. If you do not check this option, the users will see only a general message without without knowing that their account has been locked.

Users cannot log in to a locked account. The global or site administrator has to unlock the account for them.

Using this protection may also lead to another security risk. If the users have easy-to-guess user names, then an attacker can block their accounts anytime by submitting wrong passwords with their user names on purpose.

 

 

On this page

Related pages

Limiting the number of invalid logon attempts

You can limit the number of allowed invalid logon attempts in Settings -> Security & Membership -> Protection in the Invalid logon attempts group, which contains the following settings:

  • Maximum invalid logon attempts - specifies the number of attempts to log in that the user can try before the system locks their account and denies access. If set to zero, account locking will be disabled.
  • Send unlock account email - indicates whether an e‑mail should be sent to the user if their account gets locked.
  • Unlock user account path - allows selecting the path (or typing in the URL) of a custom page, on which the user can unlock their account.

Resetting the number of invalid logon attempts

When you edit a user in Site Manager -> Administration -> Users, you can view the number of invalid logon attempts the user made in the Invalid logon attempts field. To reset the number back to zero and unlock (enable) the user's account in case the user has reached the limit, click the Reset button.

  • No labels