I would like the option to, after the maximum number of failed login attempts have been exceeded, require users to do password recovery instead of blocking their accounts .

I do not want it possible for a harasser to cause a harassed member's account to be blocked by maxing out the number of failed attempts. I would like the harassed member to be able to recover from the harassment quickly by doing lost password recovery rather than have the member wait for an admin to unblock the account. I also to do not want my site's admin to spend time unblocking accounts due to harassment cases.

I also do not want it possible for an account blockage to happen because a spambot correctly guessed a user name but failed to guess the right password.

Comments

ilo’s picture

ilo CreditAttribution: ilo commented

Sounds reasonable, but you can prevent most of these cases by using current available options.

Enable 'delay base time' so every login attemp will be punished in time, don't use 'hard block' and select a high 'soft block' value. This way, users would regularly go to password reset option before blocking the account bored of long waits, or in the worst case, will have to wait for an hour or so (the time window value) to be able to try to login again because of the soft block, but after that hour, they can start password guessing again. No accounts blocked.

As a final comment, if a spam bot guess a username and locks an account trying to guess the password, where is the problem? do you preffer the bot to be able to try and try?

spflanze’s picture

spflanze CreditAttribution: spflanze commented

The problem is one of administrator time usage and the time cost of managing the website. I want the user to be able to recover from this on his or her own without admin intervention. I also do not want the user to have to wait for one hour, or whatever the setting is, to recover.

I want the user to be able to recover on his or her own no matter what the blockage cause, whether that be a spambot correctly guessing a valid username, harrasor causing trouble or the user forgetting the password and trying too many times.

It would be adequate protection against a spambot guessing a password correctly if the account transitions to a status where the user must use password recovery. Once this status has been transitioned to it will not matter how many times the spambot guesses after that, because it will not get in even if the correct password is guessed.

I view the transition to a required password recovery as just one line of defense. Another would be the slowed login rate, which would also have the beneficial effect of reducing site traffic.

ilo’s picture

ilo CreditAttribution: ilo commented

Sorry, do you mean that password recovery is unavailable for soft-blocked users? I'd say no, it is not. So, you don't need the hardblock feature, please, don't use it. Configure the soft-block operation, as password recovery should reset any status of the user, except hard-blocking.

I'll try to extract the usefull ideas of your comment and try to see if a new functionality should be included in the module.

Thanks so much for your submission.

mclinn’s picture

mclinn CreditAttribution: mclinn commented

I agree with spflanze here -- this module sounds great, however it may not work for me unless the ability for users to recover on their own by requesting a new password is implemented. I believe I understand the "soft block" vs. "hard block" -- soft block might be fine in some cases. But I could see wanting / needing maximum security, meaning hard block, at times. The clincher, for me, is the possibility that this could become somewhat of a "time sink" if users then wind up being blocked, for whatever reason. The fact that this could happen maliciously is also somewhat spooky.

And, all that said -- Ilo, thanks for your great work here! Having supported accounting systems, among other things, I know the list of "just one more" feature can seem endless. Two sides to every story, indeed. If you're not too tired of looking at the code to add this capability it would be great but if not I sure understand.

deekayen’s picture

deekayen CreditAttribution: deekayen commented
Version: 6.x-1.1 » 7.x-1.x-dev

Bumping version. Waiting on someone to propose a patch.