Skip to main content

[archive] Lock out users after multiple incorrect user/password attempts

  • December 9, 2010
  • 20 replies
  • 0 views
D

[Migrated content. Thread originally posted on 09 December 2010]

I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

Thanks

Nick Brook
CCS (2002) Ltd, Rossendale

    20 replies

    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    What - 5 times in a row or 5 times over a period of time?

    If its 5 times in a row then that should be easy enough - we lock users out if they get it wrong after 3 attempts.
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    What - 5 times in a row or 5 times over a period of time?

    If its 5 times in a row then that should be easy enough - we lock users out if they get it wrong after 3 attempts.
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    What - 5 times in a row or 5 times over a period of time?

    If its 5 times in a row then that should be easy enough - we lock users out if they get it wrong after 3 attempts.
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Hi Shaun,

    Yes 5 times in a row. How do you do it please?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    We'll, what we do is when users begin to login (they have to enter a user name/password as we do not use the window user name for authenticity) we literally reset a counter.
    Each time they get the password wrong, we increment that counter.
    Once it reaches 3 in our case, we flag the user account appropriately and rewrite the record.
    Tell the user he's daft or something more appropriate and terminate.

    Next time he tries to login, that flag will be set and he's told to contact the system administrator.
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    What mechanism do you use to get the user to login? We have a noddy program (written in Borland Turbo by an employee who has left!!) which asks for a userid and password and then constructs an Acuthin command line with the userid and password on it. Consequently, if the login is unsuccessful, all that happens is that the user is disconnected and has to start again. Because the login process is controlled by AcuConnect we never see the attempt from our application and are therefore unable to tell if this has happened. Also, our customer wants to protect against a third party trying a brute force attack which may be by writing a program to generate Acuthin command lines with randomly generated passwords which will eventually find the correct one.

    Any ideas on how we can do this please?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    What mechanism do you use to get the user to login? We have a noddy program (written in Borland Turbo by an employee who has left!!) which asks for a userid and password and then constructs an Acuthin command line with the userid and password on it. Consequently, if the login is unsuccessful, all that happens is that the user is disconnected and has to start again. Because the login process is controlled by AcuConnect we never see the attempt from our application and are therefore unable to tell if this has happened. Also, our customer wants to protect against a third party trying a brute force attack which may be by writing a program to generate Acuthin command lines with randomly generated passwords which will eventually find the correct one.

    Any ideas on how we can do this please?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    What mechanism do you use to get the user to login? We have a noddy program (written in Borland Turbo by an employee who has left!!) which asks for a userid and password and then constructs an Acuthin command line with the userid and password on it. Consequently, if the login is unsuccessful, all that happens is that the user is disconnected and has to start again. Because the login process is controlled by AcuConnect we never see the attempt from our application and are therefore unable to tell if this has happened. Also, our customer wants to protect against a third party trying a brute force attack which may be by writing a program to generate Acuthin command lines with randomly generated passwords which will eventually find the correct one.

    Any ideas on how we can do this please?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Ah - OK Nick.

    What mechanism - we control it from our menu driver.
    First thing it does is asked for a username/password.

    Can you not write a login program in Acu?
    You be in total control then, and the lock out will be easy then.
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    We could do that but then we would have licence Acucobol on all our customers' machines and that's not how we operate. We provide a hosted debt recovery system to many customers, each with many users. Also, some clever *** could download acuthin and then sit at home (or in Romania where a lot of these b*****ds are) trying random passwords. I need a mechanism to get Acuconnect to at least tell me when there has been an invalid login and then I can track it and do something about.
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Romania :D

    Sorry, I'm confused now

    You say this noddy program constructs an acuthin command line.
    Surely that means acuthin is already installed Nick - no?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Romania :D

    Sorry, I'm confused now

    You say this noddy program constructs an acuthin command line.
    Surely that means acuthin is already installed Nick - no?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Romania :D

    Sorry, I'm confused now

    You say this noddy program constructs an acuthin command line.
    Surely that means acuthin is already installed Nick - no?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Yes, Acuthin is installed but NOT Acucobol. Acuthin is free, AcuCobol has to be licenced and paid for
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    I suspect I'm missing something very obvious here Nick.

    Here what we do.

    Users double click an icon for our application on their desktop
    This is an acuthin link which which points to the server configuration entry defined by acurcl
    This then runs our menu driver which in turn calls our security routines, which either grant or deny access to the application.
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Ahhhhh. I see.

    What you're missing is that we use the AcuAccess facility within Acuserver to do the authorisation, while you use a "menu driver" and your own security routines. I am assuming therefore that you do not use the the "acurcl -access" routines to set up security but some other mechanism to identify and authorise your users?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Ahhhhh. I see.

    What you're missing is that we use the AcuAccess facility within Acuserver to do the authorisation, while you use a "menu driver" and your own security routines. I am assuming therefore that you do not use the the "acurcl -access" routines to set up security but some other mechanism to identify and authorise your users?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Ahhhhh. I see.

    What you're missing is that we use the AcuAccess facility within Acuserver to do the authorisation, while you use a "menu driver" and your own security routines. I am assuming therefore that you do not use the the "acurcl -access" routines to set up security but some other mechanism to identify and authorise your users?
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    Yes.

    We have a generic user to connect with via acuaccess, then our own security in the application.
    Probably not an option for you to change then.
    D

    [Migrated content. Thread originally posted on 09 December 2010]

    I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

    Thanks

    Nick Brook
    CCS (2002) Ltd, Rossendale
    OK thanks Shaun, now we are both on the same page!

    I have changed things a bit and have set the trace level to 3 on the server config file. After PASSWORD_ATTEMPTS have been made it now puts a "failed" message in the log file. I can write a noddy program to look at this file periodically and if it finds the failed message can do something like set a flag in the user's access record to say it's been the subject of a failure and therefore not allow login.

    This will achieve what I need for this (hopefully) new customer. Another box ticked on the seemingly endless list provided by their Information Security people. Don't you just love large organisations?

    Thanks for all your help Shaun.

    Regards Nick

    Recent badge winners

    Explore all badges
    Terms & ConditionsAccessibility statement