Invalid logon attempts

One of the most common threats to website security is stealing user accounts. To compromise an account, attackers use a methods, which try to guess the password for that account, either by combining different characters, or by selecting passwords from a dictionary.

This threat can be easily eliminated by introducing a limit of invalid logon attempts, which means that users will have their account locked after entering an incorrect password for the specified number of times.

Locked account after exceeding the number of invalid logon attempts

To display a friendly message (as you can see on the picture above) to the users, check the Display account lock information message option in Settings -> Security & Membership -> Protection. If you do not check this option, the users will see only a general message without without knowing that their account has been locked.

Users cannot log in to a locked account. The global or site administrator has to unlock the account for them.

Using this protection may also lead to another security risk. If the users have easy-to-guess user names, then an attacker can block their accounts anytime by submitting wrong passwords with their user names on purpose.

Limiting the number of invalid logon attempts

You can limit the number of allowed invalid logon attempts in Settings -> Security & Membership -> Protection in the Invalid logon attempts group, which contains the following settings:

  • Maximum invalid logon attempts - specifies the number of attempts to log in that the user can try before the system locks their account and denies access. If set to zero, account locking will be disabled.
  • Send unlock account e‑mail - indicates whether an e‑mail should be sent to the user if their account gets locked.
  • Unlock user account path - allows selecting the path (or typing in the URL) of a custom page, on which the user can unlock their account.

See Settings - Protection.

Resetting the number of invalid logon attempts

When a user successfully logs in, the system automatically resets the number of invalid logon attempts to zero.

Administrators can also reset the invalid logon attempt counter manually:

  1. Open the Users application.
  2. Edit the given user.
  3. View the number of invalid logon attempts the user made in the Invalid logon attempts field.
  4. Click Reset to set the number back to zero and unlock the user’s account (if the user has reached the limit).