uk-netmarketing Archive (2011-2015)
[uk-netmarketing] Locking customers out of accounts after bad logins
Chris Baker chris at chrisjbaker.co.ukThu Nov 29 11:47:13 GMT 2012
- Previous message: [uk-netmarketing] Leaving UKNM? You must be joking!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi'y'all I'm working on a system which currently locks customers out of their accounts if they exceed a certain number of bad login attempts. They then can't use their account until unlocked again. Currently, customer services get too many calls to unlock people, so its not working quite right. We are discussing how to tweak it, and I wondered whether anyone on this list has experience that might guide us. At present, we simply count up all your bad logins since your account opened. No mistake is ever forgotten. When you exceed a certain number, the system locks you out, and this is permanent, until someone unlocks you. We're discussing changing this to a system where bad logins are scored against you, but your bad login score is reduced back to 0 when you log in correctly. So Mr Fatfingers, who often mis-types his password wrongly the first time then gets it the second time will no longer be locked out. We also plan to make the lockout last for only a certain amount of time, rather then "until over-ridden". The question is therefore: *How many bad attempts at logging in is reasonable (e.g. 3 strikes and you're out? more? less?) *How long a ban from the system is reasonable? (an hour? A day? More? Less?) I'd like an outside perspective on those settings if possible - otherwise you can end up at a meeting where several people are stubbornly dug in with their arbitrary ideas, and nobody has any data to resolve anything. If anyone has operated similar lockout logic, I'd be interested to hear how it went. The other thing we need to settle is how much to tell the users. A message saying "Sorry, you have exceeded X bad logins and will now be locked out of the system for Y hours" is helpful to forgetful genuine users, but also to any hackers. What are we defending? Once inside the system you can see the names of people in the organization, and some stuff about their progress through fairly standard processes. So you could potentially use this for bad stuff, as well as annoying the user whose account you've hacked by trashing their work. You can't see people's addresses, credit card info or other very highly abusable data. be interested to see your ideas, many thanks. -- Chris Baker Chris Baker Project Management Ltd. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mm.chinwag.com/pipermail/uk-netmarketing/attachments/20121129/0e9830d6/attachment.html>
- Previous message: [uk-netmarketing] Leaving UKNM? You must be joking!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the uk-netmarketing mailing list
