I just spent a whole bunch of time adding code - LOTS of code - to my Log-In script, so that a User gets “locked out” of their account if they have more than 3 failed log-in attempts.
After all of that work, it just dawned on me that the “Reset Password” link which I have on my Log-In Page probably completely undoes any value of this new “lock out” functionality that I just wrote, right?? :-/
Should I get rid of this reset link, and its related functionality?
Sincerely,
Debbie
In what way does the reset link undo the lockout? There shouldn’t be any connection between the two.
The logic for locking out after three wrong passwords is extremely simple. You have an extra field in your user table that counts the invalid attempts. That starts as zero for everyone. The password validation checks first if the invalid count is 3 and if so it rejects the attempt else if the password is wrong add 1 to the count and reject the login. Then you’d just have an unlock option in your back end that resets the count to zero when you want to unlock the account. None of this processing would be affected by changing the password.
Not CHANGE your Password… RESET your Password.
I just finished my “3 Strikes And You’re Out!” addition to “log-in.php”.
The conflict I see is this…
Debbie forgets her password, and fails to log in 3 consecutive times.
The System locks her out.
So Debbie just clicks “Reset Password”, and the System sends her a TEMP password (i.e. “Resetting” her Password).
The System requires her to then CHANGE the Temp Password for a NEW PASSWORD.
Debbie gets 3 more strikes now, and is no longer locked out!!!
See the problem now??
(You would expect being “locked out” to be permanent until the Admin intervenes…)
You could use the argument that when an Account is “locked out”, that is just too bad for the User, and they’ll have to be patient until the Admin resets things…
There is also the issue…
What should happen when an Admin removes the block??
Should the Admin RESET the Password for the User?
Those are my questions and concerns…
Sincerely,
Debbie
As a customer/user, that is not the behavior I would expect.
It is a honest thing to forget your password for a specific website today, you easily have hundred or more accounts, and unless you use the same password every place this gets messy (and no, if anyone get that idea, please do not use the same password in all places). In addition what would you do if I failed entering the correct password twice, and then requested a password reset? Would you keep the two failed, allowing me just to fail once more or?
The normal way this problem is handled, is that the “lock out” is for a limited amount of time. If this is a normal member area, all you want to prevent is brute force attempts, so then having a 15min timeout is a good choice. But you can also have longer if you so chose, they key is that you let the customer know how long they are locked out. In addition, the locked out time is reset every time another login attempt is done during the initial period. So if I try to login again after 10min, you dont even validate the login information but just extend the locked out period with another 15min.
In addition, keep in mind that you want to keep any actions you need to take as an administrator at a minimum, as each time you need to review a case like this and take an action, it cost you time and by that money.
TheRedDevil,
Sorry, looks like we disagree on this…
If I get locked out of my computer at work, the only way to get back in is to call the Help Desk. (There is no, “Get locked out after 3 failed attempts, BUT just click on ‘Reset Password’ link and you can get back in!!”)
Yes, a LAN Account and a Web Account as slightly different, but then again, are they?!
If you come to my website, I expect you to take my site and your account seriously. And if you can’t do that, then there are consequences (e.g. having to wait to get back in).
I’m not trying to be a jerk to my Users, however, my website’s security comes before user convenience!!
And it just seems like locking Users out, and then letting them reset their passwords sorta undoes the “lock out” feature.
Also, if having to “unlock accounts” becomes a major issue, then I think that says a lot about my customer-base, and means I need to re-think who comes to, and gets to stay on my website…
Maybe some other people can help me get my hands around this topic better…
Sincerely,
Debbie
The security aspect of a companies internal network account and the security aspect of a normal website member back office account is as far apart as day and night.
The amount of damage someone can do if they get access to a companies internal network account can be significant depending on where you work and who’s account you get access to. Potentially if you get access to the right account, you can do enough damage to seriously put a company back.
While on a member back office, the damage done will only apply to the account, and not the entire website.
This is why the security restrictions are much higher on a internal network account, compare to a website account.
With a website the main reason of the X strikes lockout is to prevent automatic brute forcing of an account, not to block the member from being able to login later. With that said, if this was the login to the admin control panel, then locking down the account is a good thing, but not for a normal member back office.
I am not sure how locking down the account until you unlock it from the member area improve your websites security compare to a timed locked down. The only thing you do is give the user additional frustration and give yourself additional management work.
If you really want to have the feature work like this, then I have no idea why you are even dragging the “reset password” function into it? All you need to do is have the reset password function only work if the account is not locked down, and in addition that it does not reset any failed attempt there is on an account if the password is reset before three login attempts has been made. I.e. when an account is locked down, the reset password function should not work for that specific account. I would also recommend you let your users know how they can unblock the account if they try to reset the password while it is blocked, i.e. how they can reach you.
While it might not seem like a lot of management work right now, when your active user base is several hundred thousand members visiting the site per day, that will change. There will always be a set percentage of the members per day who cannot remember their password, and who would trigger the lockdown.
Wow, look at that passionate response. 
Fair enough, although if this was someone’s Citibank account or their Amazon.com account, things may not be that simple. (And I am striving to be in that category some day…)
I guess I see it as an “extended” time-out.
My fear of having “3 Strikes You’re Out” and then immediately allowing someone to do a “Password Reset” themselves, is that would allow a hacker to have an unlimited ability to keep trying to guess their way in…
Let’s say you have an ex-lover who is still pissed at you for breaking their heart, and since they know your Username/Email, this crazed ex-lover just keep trying and trying and trying until he/she finally get in?! 
That is a legitimate concern of mine.
If I break that cycle and require an Admin’s (i.e. “my”) intervention, then I can do some research and look for any suspicious patterns before I send out a Password Reset. For example, maybe I notice this is a regular issue. Or that something else looks suspicious, like the failures keep coming from an IP in China, and yet this User is in Des Moines, IA?
Again, I’m not claiming to be a security guru, nor am I claiming that I have all of these great “checks and balances” built into my website at this point. However, sometimes making things slightly more manual is a good idea…
Because I had a “Reset Password” link in the past.
Then I spent all of this time adding a new “Lock Out” feature.
And now it seems to me that the former undoes the benefit of the latter?! :-/
That would be a “Change Password” feature. And I have that, and that is different from the “Reset Password” feature we are debating.
That makes no sense.
You have a “Reset Password” because someone forgot their password.
If someone is able to “reset” their password, then they would be starting from a clean slate.
You lost me there…
Sure.
A good problem to have!! 
True.
I’m just trying to be cautious, and keep adding security and protection, and not taking it away…
Backing up for a minute, though…
Please explain to me, TheRedDevil, why you do NOT think it is a “conflict of interest” to allow someone to circumvent my “Lock Out” feature by simply clicking on the “Reset Password” link??
(I know you talked about preventing Brute-Force Attacks, but what about the disgruntled ex-lover I described…) :-/
Sincerely,
Debbie
Please explain to me, TheRedDevil, why you do NOT think it is a “conflict of interest” to allow someone to circumvent my “Lock Out” feature by simply clicking on the “Reset Password” link??
Sure, though first to avoid any confusion since you mentioned that you have a “change password” and a “reset password” feature. If both of those are available before the user log in then that does not really make sense. Before a user successfully log in, it is normal to have a feature that allow them to reset their password, if it is called Lost Password, Reset Password etc. does not matter.
Now, the key here is not that your system should allow me to successfully reset my password (+ locked out status) and by that get access again if I am locked out. This is as you say not a desired functionality.
At the same time I do not see why this is a problem, as from a programming side, this is a very simple problem to solve.
There is two ways to sort this:
If I break that cycle and require an Admin’s (i.e. “my”) intervention, then I can do some research and look for any suspicious patterns before I send out a Password Reset. For example, maybe I notice this is a regular issue. Or that something else looks suspicious, like the failures keep coming from an IP in China, and yet this User is in Des Moines, IA?
This is something that you can just as easily do automatically by using a geo location database/service and validate the person logging in or asking for a password reset. Or for example if they try to do a specific thing within the member area from a new country. A good example on the last one is Paypal, if you try to initiate a transfer from your Paypal from a new country (if your on vacation for example), they will lock down your account. In this case, it is a security feature I believe is well placed, since the risk of damage is pretty high if the account was high jacked.
Let’s say you have an ex-lover who is still pissed at you for breaking their heart, and since they know your Username/Email, this crazed ex-lover just keep trying and trying and trying until he/she finally get in?!
If this is a problem, then it means the site in question is in a specific niche, and if this is the case then added security features like this might be a valid option (Other than that, this problem is actually also a brute force issue, only that it is done manual instead of automatic).
The problem is that unless you change the username as the same time you unlock the account, the person can just come back again and try again. Which just delay the problem.
An idea to try here would be to implement a sms service, and if an account is locked down you send a sms to the user, letting them know (you should also send them an email). As that will let them know right away if someone else try to login to their account, in addition you can allow them to re-enable their account themselves, by enter a code delivered by SMS for example. This is actually a “commonly” used solution by larger companies, since it does add a more secure lockdown, but at the same time keep the “manual support work” at a minimum. Today implementing a sms service is much simpler than it was a decade ago, and unless you need a lot of messages there is a lot of providers that has a free “entry package”.
Some of the methods mentioned above does require a higher programming knowledge, so I am not sure if they all are viable options for you. Please note that there is free geoip databases and servies as well, so you can implement all of these with the only cost being the time it take to program it.
You’re not understanding what I have…
When a User is logged in, he/she has an option to “Change Password” under User Preferences. (Must be logged in to do this!!)
When a person is trying to log in, beneath the Log-in Form, is a link which says “Reset Password”. (This exists if you cannot remember your Password!!!)
Follow me?
Maybe for v3.0, but too much additional work for now.
My point is that I think this could be a common issue, and so it makes no sense to attempt to lock people out when they ultimately get unlimited tries to log in?!
Huh?
Nooo… If a hacker is trying to guess Debbie’s password, and I send a “Rest Email” which has a link that re-sets the User’s password AND requires him/her to choose a New Password, then it solves the problem I am trying to prevent, i.e. people trying to guess other people’s passwords!!
And if a Hacker had access to the User’s email, then that is a whole other issue?!
Since I have never owned a cell phone, I am clueless on such solutions.
So what would “I” need to buy or have to implement such a solution??
From the little I do understand, my website would need to send a “Text” to a User’s Cellphone/Smart Phone with the message you describe above, right?
What kind of infrastructure do I need to do that?
Would I have to buy something from a Wireless Provider (e.g. AT&T)?
Or could I do that for free - like e-mails - via the Internet?
Sincerely,
Debbie
P.S. Anyone else have any opinions on this??
The more differing perspectives, the better!!
At this point Debbie now has a new password and shouldn’t be locked out.
If it were someone other than Debbie who caused the lock then their attempt to do the reset would send Debbie a new temp password. While this may release the lock on the original password the password has now changed and so anyone other than Debbie trying to break in does not know if any of the prior login attempts would now work. So the system is still effectively preventing a brute force attack even though the lock can be easily released since releasing the lock also changes the password so that the attack has to start over.
There is no problem with the reset releasing the lock provided that it also changes the password.
Okay, that is a good explanation.
I guess as long as a hacker does NOT have access to the target’s e-mail account, the best they could do would be to take 3 wild guesses, get locked out, and then have to wait until the Member changed his/her password, and try again.
Although, as I currently have things set up, a Member can ignore the “Reset Email” and leave things as-is.
Maybe I should tweak that, and assume the worst, and force a person to change their password when a lock-out happens?
Of course, that is even more coding… 
Sincerely,
Debbie