Checkup Documentation

Maximum invalid sign-in attempts setting

severity-low cms-settingskey-maximum-invalid-logon-attempts

Summary

One of the most common threats to website security is stealing user accounts. To compromise an account, attackers use methods which try to guess the password for that account, either by combining different characters or by selecting passwords from a dictionary.

This threat is eliminated by limiting the number of invalid sign-in attempts, which means that users will have their account locked after entering an incorrect password for the specified number of times.

Review Kentico's documentation for more information:
https://docs.xperience.io/k12sp/securing-websites/designing-secure-websites/securing-user-accounts-and-passwords/invalid-sign-in-attempts

Check Logic

Constant Care for Kentico will ensure the Setting for Maximum invalid sign-in attempts does not equal 0 (default)

You can manage your settings for this checkup in the Constant Care for Kentico admin settings.

Resolution

Go to the Settings application.
Go to the Security & Membership > Protection category.
Set the Maximum invalid sign-in attempts to a value other than 0 (the Constant Care for Kentico team recommends 5).
IMPORTANT: Be sure you have your unlock process in place (email reset, reset page path, etc).

Review Kentico's documentation for more information:
https://docs.xperience.io/k12sp/securing-websites/designing-secure-websites/securing-user-accounts-and-passwords/invalid-sign-in-attempts

Not sure what to do?

If you are ever unsure about making changes to your site, we encourage you to reach out to your Kentico Xperience Gold Partner. If you do not have a partner, then feel free contact the Constant Care For Kentico team to get connected with an expert.