Highlighted
Absent Member.
Absent Member.
2708 views

[archive] Lock out users after multiple incorrect user/password attempts

[Migrated content. Thread originally posted on 09 December 2010]

I have a customer who would like us to implement a facility whereby a user is "locked out" if they enter a userid/password incorrectly more than 5 times. We are running AcuConnect with an AcuAccess file on our Linux server and Acuthin on the Windows clients. Does anyone know if/how this can be done?

Thanks

Nick Brook
CCS (2002) Ltd, Rossendale
0 Likes
12 Replies
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

What - 5 times in a row or 5 times over a period of time?

If its 5 times in a row then that should be easy enough - we lock users out if they get it wrong after 3 attempts.
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

Hi Shaun,

Yes 5 times in a row. How do you do it please?
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

We'll, what we do is when users begin to login (they have to enter a user name/password as we do not use the window user name for authenticity) we literally reset a counter.
Each time they get the password wrong, we increment that counter.
Once it reaches 3 in our case, we flag the user account appropriately and rewrite the record.
Tell the user he's daft or something more appropriate and terminate.

Next time he tries to login, that flag will be set and he's told to contact the system administrator.
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

What mechanism do you use to get the user to login? We have a noddy program (written in Borland Turbo by an employee who has left!!) which asks for a userid and password and then constructs an Acuthin command line with the userid and password on it. Consequently, if the login is unsuccessful, all that happens is that the user is disconnected and has to start again. Because the login process is controlled by AcuConnect we never see the attempt from our application and are therefore unable to tell if this has happened. Also, our customer wants to protect against a third party trying a brute force attack which may be by writing a program to generate Acuthin command lines with randomly generated passwords which will eventually find the correct one.

Any ideas on how we can do this please?
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

Ah - OK Nick.

What mechanism - we control it from our menu driver.
First thing it does is asked for a username/password.

Can you not write a login program in Acu?
You be in total control then, and the lock out will be easy then.
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

We could do that but then we would have licence Acucobol on all our customers' machines and that's not how we operate. We provide a hosted debt recovery system to many customers, each with many users. Also, some clever *** could download acuthin and then sit at home (or in Romania where a lot of these b*****ds are) trying random passwords. I need a mechanism to get Acuconnect to at least tell me when there has been an invalid login and then I can track it and do something about.
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

Romania 😄

Sorry, I'm confused now

You say this noddy program constructs an acuthin command line.
Surely that means acuthin is already installed Nick - no?
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

Yes, Acuthin is installed but NOT Acucobol. Acuthin is free, AcuCobol has to be licenced and paid for
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

I suspect I'm missing something very obvious here Nick.

Here what we do.

Users double click an icon for our application on their desktop
This is an acuthin link which which points to the server configuration entry defined by acurcl
This then runs our menu driver which in turn calls our security routines, which either grant or deny access to the application.
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

Ahhhhh. I see.

What you're missing is that we use the AcuAccess facility within Acuserver to do the authorisation, while you use a "menu driver" and your own security routines. I am assuming therefore that you do not use the the "acurcl -access" routines to set up security but some other mechanism to identify and authorise your users?
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Lock out users after multiple incorrect user/password attempts

Yes.

We have a generic user to connect with via acuaccess, then our own security in the application.
Probably not an option for you to change then.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.