What is the status of the "account locked for 10 minutes"?

[IndyTwoStep]

I still run into this problem way too often, and I am on the latest release. (and yes, I know my password - I am testing this due to concern... It returns 3 fails and then the "account locked" error that seems to only reset itself on occasion)

I have been able to duplicate this problem on general user accounts, testing as if I were a customer (we all know the three time login fail happens often), and I'd hate to go live and have to take customer calls when they run into this problem... The idea was to create less work for myself with ac7, not nonstop tech help calls from frustrated customers. Manually unlocking logins in a user table is not going to work when I migrate our current site, with over a thousand uniques daily, to this system. The law of averages is working against me here if I, the only user, have frequent problems... That's a 1 to 1 'user' vs. 'login problem' ratio, not too good IMO.

The only solution I found a couple times was to restore the backed up database (after an account remained locked for days), which is not going to work after the site goes live. I'm going to submit a ticket based on feedback here, but I'd like to know if anyone else is having this problem so I don't have to worry about our site not working correctly for customers and losing us business.

I'm aware of other threads on the issue, but there is no official definitive answer on them. Thanks...

[nickc]

You can forcibly "unlock" by updating dbo.ac_Users.IsLockedOut.

I have encountered this situation several times; where the only way I could get logged in was to "unlock" and then reset my password - so keeping an extra admin account is a good idea.

-Nick

[Logan Rhodehamel]

I set up my test store with a customer password policy that allows 5 tries and a lockout period of 2 minutes. Then as a customer I entered the wrong password 5 times, until I received the account locked message. Then I waited 3 minutes and tried the correct password. I was allowed to log in, and a check of the database confirms the account locked flag was cleared and the failed password count was reset.

Possible solutions to reduce your involvement:
Decrease the lockout timeout
Increase the amount of tries before lockout occurs

The password page features a forgot password reset tool. If a customer sees they only have one or two tries left, out hope is that they will use that link to solve their password problem. This is why we alert them to the number of tries remaining.

[Mark Harris]

As an admin, you can also keep a known password hash of something simple in a safe location. If you forget your new password the day after you change it (been there, done that) you can go and dump that known password hash into the database then login with the password.

Just as a matter of interest, i have also tried to login, failed 5 times, been locked out for 10 mins - come back the next day and still been locked out. I believe i even made a post about it

[jmestep]

How do you get a known password hash? From the database directly?

[Logan Rhodehamel]

Easier than saving a password hash: find the password record for your user - set the password to something in plain text, and set the format to CLEAR. That saves you the trouble of copy/paste.

[Mark Harris]

Judy, yes just safe the hash for your user when you know what the password is. the Password column in ac_UsersPasswords. This still gives you a password you can restore without using the ResetAdmin.aspx tool (In the Install folder) and is secure. I'd prefer not to have my admin account with a plain text password.

[Logan Rhodehamel]

I'd prefer not to have my admin account with a plain text password.

That's a good point. If I reset it with the CLEAR option I always change it right after. I didn't state that above and it's an important consideration.

[AbleMods]

Easier than saving a password hash: find the password record for your user - set the password to something in plain text, and set the format to CLEAR. That saves you the trouble of copy/paste.

Is this forum secure? I'm not comfortable with the posting of specific ways to compromise the security of a store db.