uk-netmarketing Archive (2011-2015)

Hi Chris,

Sounds like sensible logic, although the lockout seems a bit draconion.

I can't remember the system, but I remember one that increased the length
of lockout time for each failed attempt. They provided a counter for the
user so they could see when the form would be enabled again.

As a footnote, we're seeing a tonne of fake accounts being created on some
of our systems. They're using captcha's and email confirmations, so we're
pretty certain that there's humans at the end of the process.



Toodle Pip

Sam

--------------------------------------------------------------
Sam Michel, CEO, Chinwag - e: sam at chinwag.com
t: +44 (0)20 7183 2925 f: +44 (0)20 7099 4011
Chinwag - http://chinwag.com
@toodlepip <http://twitter.com/toodlepip> //
@Chinwag<http://twitter.com/Chinwag>//
@DigitalMission <http://twitter.com/DigitalMission> //
@SMWLDN<http://twitter.com/SMWLDN>//
@ChinwagJobs <http://twitter.com/ChinwagJobs>
---------------------------------------------------------------
- Digital Mission to NYC, Feb 2013 -  http://chw.ag/b1Hs
- Social Media Week London - http://chinwag.com/events/smwldn
- Chinwag Jobs - http://jobs.chinwag.com
- Sam @ Chinwag: http://chinwag.com/blogs/sammichel
- Sam @ Toodlepip: http://www.toodlepip.co.uk
--------------------------------------------------------------



On 3 December 2012 12:30, Nabil <nabil at shabka.com> wrote:

>  Hey Chris,
>
> I think that doing it historically is a mistake.  All the systems I've
> come across do it on a per 'session' basis.  that's because what they're
> trying to do is stop a login script hacking into user accounts, not punish
> users.
>
> Most systems I've seen either:
>
> 1. Lock people out for say 15 to 30 minutes after 3-7 bad login attempts
> 2. Others then add an additional challenge question on top of the username
> and password to ensure identity (of course this has to have been setup by
> the user before hand)
> 3. After x amount of tries and/or not passing the challenge question they
> are emailed a new password to the email address on record.
>
> Hope that helps.
>
> Nabil
>
>
> On 29/11/2012 11:47, Chris Baker wrote:
>
> Hi'y'all
> I'm working on a system which currently locks customers out of
> their accounts if they exceed a certain number of bad login attempts. They
> then can't use their account until unlocked again.
>
>  Currently, customer services get too many calls to unlock people, so its
> not working quite right. We are discussing how to tweak it, and
> I wondered whether anyone on this list has experience that might guide us.
>
>  At present, we simply count up all your bad logins since
> your account opened. No mistake is ever forgotten. When you exceed a
> certain number, the system locks you out, and this is permanent,
> until someone unlocks you.
>
>  We're discussing changing this to a system where bad logins are scored
> against you, but your bad login score is reduced back to 0 when you log in
> correctly. So Mr Fatfingers, who often mis-types his password wrongly the
> first time then gets it the second time will no longer be locked out. We
> also plan to make the lockout last for only a certain amount of time,
> rather then "until over-ridden".
>
>  The question is therefore:
> *How many bad attempts at logging in is reasonable (e.g. 3 strikes and
> you're out? more? less?)
> *How long a ban from the system is reasonable? (an hour? A day? More?
> Less?)
>
>  I'd like an outside perspective on those settings if possible -
> otherwise you can end up at a meeting where several people are stubbornly
> dug in with their arbitrary ideas, and nobody has any data to resolve
> anything. If anyone has operated similar lockout logic, I'd be interested
> to hear how it went.
>
>  The other thing we need to settle is how much to tell the users. A
> message saying "Sorry, you have exceeded X bad logins and will now be
> locked out of the system for Y hours" is helpful to forgetful genuine
> users, but also to any hackers.
>
>  What are we defending? Once inside the system you can see the names
> of people in the organization, and some stuff about their progress through
> fairly standard processes. So you could potentially use this for bad stuff,
> as well as annoying the user whose account you've hacked by trashing their
> work. You can't see people's addresses, credit card info or other very
> highly abusable data.
>
>
>  be interested to see your ideas, many thanks.
>
>
>  --
> Chris Baker
> Chris Baker Project Management Ltd.
>
>
>
> ~~ Chinwag Jobs: Find your perfect new job or next team member ~~
>
> Chinwag Jobs is the leading specialist recruitment website for digital
> roles in the UK. Used by major companies such as BBC, Electronic
> Arts, Kingston University as well as the majority of recruitment
> agencies who place staff in the sector.
>
> Take a look through our listings or register to advertise your
> own vacancies today.
>
>
>  CHINWAG JOBS: http://jobs.chinwag.com
>
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> You're subscribed to uk-netmarketing to change your options or
> unsubscribe: https://mm.chinwag.com/options/uk-netmarketing
>
> uk-netmarketing discussion list is powered by http://chinwag.com
>
>
>
> ~~ Chinwag Jobs: Find your perfect new job or next team member ~~
>
> Chinwag Jobs is the leading specialist recruitment website for digital
> roles in the UK. Used by major companies such as BBC, Electronic
> Arts, Kingston University as well as the majority of recruitment
> agencies who place staff in the sector.
>
> Take a look through our listings or register to advertise your
> own vacancies today.
>
> >> CHINWAG JOBS: http://jobs.chinwag.com
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> You're subscribed to uk-netmarketing to change your options or
> unsubscribe: https://mm.chinwag.com/options/uk-netmarketing
>
> uk-netmarketing discussion list is powered by http://chinwag.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.chinwag.com/pipermail/uk-netmarketing/attachments/20121205/72722f0f/attachment.html>