Brute force prevention

[Jest]

So. The server has been hacked and everybody account information is available to the public (apparently, but I don't know where). You may have changed your password and think you're safe, however, this is sadly not the case.

If a complete list of accounts is to be viewed by 'Joe AverageHacker' then he simply has to find a decent level account and set up a brute force attempt. To my understanding there is currently no protection against this type of attack since I just tested the wrong password 10 times in a row, then successfully logged in using the right one.

Please change urgently.

 

[deano13]

+1

 

[Shank]

use a hard to guess p/word brute force wont work

 

[Merc_Draven]

Please avoid these passwords
[video=youtube;0Jx8Eay5fWQ]https://www.youtube.com/watch?v=0Jx8Eay5fWQ[/video]

 

[The NightAngel]

wont this database have the details regarding Q+A anyway? so can just request password using q+a...

 

[Tist]

Aye we should be given the chance now to change other details too.

 

[Far]

Q+A will only work if they have access to your email (i'd hope it doesn't just reset your password within the client directly). So unless you're silly enough to have used the same password for your email account too, Q+A would be fine.

 

[Samuel]

Thank you for highlighting this (I didn't know the accounts were not being suspended when an incorrect password is being used).

I have been doing some work on the login server and this should now be working.

Sam

 

[Jest]

Yeah I noticed today :P

Nice.