Max invalid number of password fails

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

What operating system were you running when the bug appeared?
What database platform is your site using?
What version of mojoPortal are you running?
What version of .NET do you use?
What steps are necessary to reproduce the issue? Compare expected results vs actual results.

This thread is closed to new posts. You must sign in to post in the forums.

6/20/2007 10:01:28 AM

Alexander V. Yushchenko

Total Posts 488

View Posts

Max invalid number of password fails

In site settings there are 2 settings:

- Max Invalid Password Attempts (5 by default)

- Password Attempt Window in Minutes (5 by default)

1. I tried to enter invalid password more than 5 times. For the first several attempts I see the "invalid password message", after that the user is blocked and when trying to log in no message is displayed.

It would be nice to display some "you are blocked" message in this case.

2. During this scenario I did not see any additional windows, etc. What is "Password Attempt Window", by the way? How this should work?

6/20/2007 3:51:46 PM

Joe Audette

Total Posts 18439

View Posts

Re: Max invalid number of password fails

I will look into showing a locked out message there.

Password Attempt Window has nothing to do with a UI window, it is a window of time, 5 minutes by default. If you fail login x times within that window of time your account will be locked. x = Max Invalid Password Attempts setting.

Thanks,

Joe

6/21/2007 2:40:23 AM

Alexander V. Yushchenko

Total Posts 488

View Posts

Re: Max invalid number of password fails

2. Thanks for the explaination. It would be nice to write it in a help text for these options as I am possibly not the only one to be confused about it.

3. Is it possible to switch off this check?

P.S. I am not going to switch it off in my case, just for understanding and correct messages translation. what happens if I set this to zero?

7/5/2007 6:45:55 AM

Joe Audette

Total Posts 18439

View Posts

Re: Max invalid number of password fails

Hi Alexander,

2. The help files are in svn

3. Disabling it by setting it to 0 is my expectation of how it should work. Maybe you can test and let me know. I looked in the mojoMembershipProvider.cs but all I'm doing there is incrementing the counts. I think the lockout implementation is in the the asp.net login control and part of the runtime.

Thanks,

Joe

7/5/2007 10:39:23 AM

Alexander V. Yushchenko

Total Posts 488

View Posts

Re: Max invalid number of password fails

2. Thanks.

3. It's not so. If I set "Max Invalid Password Attempts" to zero, the user is blocked after 1 password failure.

4. As I can see, I can also set both these settings even to -1. It would be nice not to allow this.

7/5/2007 7:26:09 PM

Joe Audette

Total Posts 18439

View Posts

Re: Max invalid number of password fails

In svn I have modified such that if Max Invalid Passwords <= 0 it will not increment the attempt count and therefore not cause lockout.

Thanks,

Joe

7/6/2007 8:30:15 AM

Alexander V. Yushchenko

Total Posts 488

View Posts

Re: Max invalid number of password fails

That's great.

But what about not allowing to set these settings below zero?

7/23/2007 8:52:16 AM

Joe Audette

Total Posts 18439

View Posts

Re: Max invalid number of password fails

If you add it to the QA page I will get to it sometime but its low priority, very easy to add a validator though so I will do it sometime soon.

Thanks,

Joe

You must sign in to post in the forums. This thread is closed to new posts.