Explanation:
The Account Blocker prevents password and token guessing attempts: It blocks a user (or the whole system) after too many failed login attempts.
When a user entered a wrong password or wrong token more than afterFailedLogins times, this user becomes blocked: He will be prevented from logging in again within the next blockFor milliseconds (writing 3600000 means "for 1 hour").
The failed login attempts have to occur within the last afterFailedLoginsWithin milliseconds (writing 9223372036854775807 means "forever").
If more than blockWholeSystemAfter users become blocked at a time, the all users will become blocked. (This is necessary to limit memory usage.)
Discussion
Say, for example, a scripted dictionary attack tries to guess a user's password. Using the configuration shown above, which is the default configuration if no accountBlocker is declared, this results in 5 guesses per 3600000 milliseconds; or equivalently 42720 guesses per year.
The probability of hitting a uniformly at random chosen word of the standard German vocabulary within one year is therefore about 56%.
Therefore, a more secure password should be chosen, containing letters, digits and special characters.
Syntax
accountBlocker:
afterFailedLogins: <number>
afterFailedLoginsWithin: <number>
blockFor: <number>
blockWholeSystemAfter: <number>accountBlocker: afterFailedLogins: <number> afterFailedLoginsWithin: <number> blockFor: <number> blockWholeSystemAfter: <number>
Sample
<accountBlocker
afterFailedLogins="5"
afterFailedLoginsWithin="9223372036854775807"
blockFor="3600000"
blockWholeSystemAfter="1000000" /><accountBlocker afterFailedLogins="5" afterFailedLoginsWithin="9223372036854775807" blockFor="3600000" blockWholeSystemAfter="1000000" />
Attributes
| Name | Required | Default | Description | Examples |
|---|---|---|---|---|
| afterFailedLogins | false | - | - | - |
| afterFailedLoginsWithin | false | - | - | - |
| blockFor | false | - | - | - |
| blockWholeSystemAfter | false | - | - | - |