+1-888-365-2779
Try Now
More in this section

Forums / Suggestions / account auto lock out

account auto lock out

8 posts, 0 answered
  1. Josef Rogovsky
    Josef Rogovsky avatar
    39 posts
    Registered:
    04 Sep 2012
    11 Aug 2007
    Link to this post

    I'm working on several projects with SF Community Edition and I'm a little concerned about a hacker accessing the CMS environment with a brute force attack of the admin account password.

    I'd like to suggest a feature for the next version of SF where an account will auto lock after a designated number of failed login attempts. The user would be required to follow a password reset procedure before the account can be used again.

    For a recent non SF project we implement a reset procedure (both for locked accounts and users who had merely forgotten their passwords). We setup a page to initiate the reset request. The user would have to enter their username, email address and date of birth. If the entered information was correct the user would then have to answer a previously designated personal question. If that personal question was answered correctly the system would then send the user an email containing a specially encoded url (with encrypted querystring parameters). The url would take the user to a different page and if the querystring was parsed successfully present the user with a form to specify and confirm their new password.


    This reset procedure was very easy to implement and could be implemented in SF with a few custom user controls. The only thing that I'm not sure I can do is add the auto lock out functionality on the admin login screen. This is why I'm asking for the feature to be included in the next version of SF.
  2. Vangelis
    Vangelis avatar
    153 posts
    Registered:
    07 Jan 2006
    11 Aug 2007
    Link to this post
    I agree with Joseph,

    Also a CAPTCHA implementation at login will improve the security. Also a login error log will help to trace some incidents and notification alarms on login errors will improve a lot the security.

    Best regards

    Vagelis
  3. Vlad
    Vlad avatar
    498 posts
    Registered:
    15 Jul 2016
    13 Aug 2007
    Link to this post
    Hi,

    Thank you for the suggestions.
    You are right that currently Sitefinity is vulnerable to this kind of brute force attacks.
    We are actually working now on improving our TelerikMembershipProvider to support the basic SqlMembershipProvider functionality for password lockout. It will be available in Sitefinity 3.1.
    At the time being, you could modify the login page ( ~/Sitefinity/Login.aspx ) to fit your needs.

    Josef,
    Your requirement for reset user is quite specific, we are not sure that it will be implemented in the next version, as we intend to add only the basic functionality for locking user. However, we believe that you will be able to add any additional functionality in the Login form.

    Vagelis,
    A CAPTCHA implementation can be done by customizing the login page ( /Sitefinity/Login.aspx ). It should not be a problem to add such functionality. However, we are not planning to provide a CAPTCHA generator for Sitefinity because it would be vulnerable to relay attacks and would be quite useless.

    Please, let us know if you have additional questions or suggestions.

    Best wishes,
    Vlad
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  4. Julia Shah
    Julia Shah avatar
    13 posts
    Registered:
    03 Sep 2012
    25 Aug 2008
    Link to this post
    Hi,

    This topic is a year old, and I was wondering if password lockout feature has ever been implemented. If so, how many attempts users can make, or is there a setting for it somewhere?

    Thank you,
    Julia
  5. Sean
    Sean avatar
    271 posts
    Registered:
    31 May 2006
    26 Aug 2008
    Link to this post
    Hi Julia,

    I am pretty sure this has been implemented as I know I have had to unlock a few of my users who don't know how to type :), the only problem with this though is that (as far as I know) the only way to unlock them is through the database, of if you customize the Users form to be able to unlock the users.

    There was a link posted by Vlad to an MSDN article for the SqlMembershipProvider in there is the web.config example to set up how many valid attempts the user has, the only real difference is that in Sitefinity it is using the TelerikMembershipProvider.

    Hope that helps.
    Sean
  6. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    29 Aug 2008
    Link to this post
    Hi,

    Sean,
    You are right, this feature is implemented also for our provider. You probably had too big value for passwordAttemptWindow property, that is why your users remained locked :)

    Julia,
    Having all that said, here is an example of these settings in the web.config:
    <membership defaultProvider="Sitefinity" userIsOnlineTimeWindow="15" hashAlgorithmType=""
      <providers> 
      <clear /> 
      <add name="Sitefinity"  
       connectionStringName="DefaultConnection" type="Telerik.DataAccess.AspnetProviders.TelerikMembershipProvider,Telerik.DataAccess"  
    enablePasswordRetrieval="false"  
    enablePasswordReset="true"  
    requiresQuestionAndAnswer="false"  
    applicationName="/" 
    requiresUniqueEmail="false"  
    passwordFormat="Hashed"  
    maxInvalidPasswordAttempts="1"  
    passwordAttemptWindow="10"  
    passwordStrengthRegularExpression=""  
    minRequiredPasswordLength="1"  
    minRequiredNonalphanumericCharacters="0" /> 
          </providers> 
        </membership> 

    In this case, you will have only 1 attempt for 10 minutes to submit the password.

    Sincerely yours,
    Georgi
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  7. OC
    OC avatar
    129 posts
    Registered:
    17 Nov 2004
    05 Nov 2008
    Link to this post
    What about the suggestion for a login log?

    Is there any way I can find information on logins, and login attemps? In Sitefinity or maybe in .Net security framework. I'm investigating a possible break-in.

    Thanks,
    OC
  8. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    10 Nov 2008
    Link to this post
    Hello Mutantmannen,

    All information about the users logging, and wrong passwords attempts could be found in the database table telerik_users. Please take a look at the available fields.

    Regards,
    Georgi
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
Register for webinar
8 posts, 0 answered