CODEWITHSUNDEEP
asp.net-membership
stringo0
stringo0

Reputation: 2760

Asp.net Membership - Accounts getting locked out

We're using the standard ASP.net membership features that come with asp.net.

Certain accounts in our membership database have a "Locked Out" flag set to true - when/how does this happen?

Upvotes: 9

Views: 15748

Answers (4)

Chris
Chris

Reputation: 6325

Account locking is a feature of SqlMembershipProvider that provides a safeguard against password guessing.

Looking at this page you can see that the aspnet_Membership table has IsLockedOut, LastLockoutDate, FailedPasswordAttemptCount, FailedPasswordAnswer-AttemptCount. By reviewing this table and those columns you should be able to determin who is having a failed login, when they failed on their login, and how many times they failed.

The actual count for the number of login tries can be sest in the section of the web.config. You can read more about account locking here.

Upvotes: 2

Hannoun Yassir
Hannoun Yassir

Reputation: 21202

When someone try to login 5 times (or whatever "maxInvalidPasswordAttempts" is set to) with the wrong password the account gets locked out ...

to avoid this in the future change the attribute maxInvalidPasswordAttempts in the web.config

example : 

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
  <clear />
  <add 
    name="SqlProvider" 
    ....
    maxInvalidPasswordAttempts="the new value here "
  />
</providers>

Upvotes: 3

jim
jim

Reputation: 27426

These 4 guys did a great job of explaining in depth the asp.net membership controls

 <system.web>
... authentication & authorization settings ...

<membership defaultProvider="CustomizedProvider">
  <providers>
     <add name="CustomizedProvider"
          type="System.Web.Security.SqlMembershipProvider"  
          connectionStringName="MyDB"
          applicationName="MyProject"
          minRequiredPasswordLength="5"
          minRequiredNonalphanumericCharacters="0" />
  </providers>
</membership>

basically add your provider and then set the setting the way you'd like them

Upvotes: 5

&#181;Bio
&#181;Bio

Reputation: 10758

After a configurable number of failed logins (maxInvalidPasswordAttempts, default = 5) within a configurable length of time (passwordAttemptWindow, default = 10 minutes), the account will be locked out.

see here for membership related configuration properties

Upvotes: 13

Related Questions