Three people - Kevin Goff, Victor Anderson and John Baird - have reported that their account passwords recently "stopped working" and had to be manually reset. None of them seem to know of any reason why this might have happened.
It's common practice to set a lockout policy on user accounts. Typically this comes into effect if there are more than X unsuccessful logon attempts. If the user name is valid, then the passwords are incorrect, which usually means a hack attempt.
Can you tell us:
- if you have implemented an account lockout policy like this
- if IP address(es) of failed logon attempts are logged
- if you take any actions in the event of an account lockout, such as blocking the IP of the failing logons or cross-referencing the IP to those of other members
- if you notify (e.g. via e-mail) the account holder, that a hack attempt has occurred
I believe members locked out due to a hack attack should be notified. Some people do not use strong passwords; a notification may prompt them to strengthen theirs.
Also, if Kevin's recent banning was preceded by a hack attempt, Victor and John may have some cause for concern.
Regards. Al
"Violence is the last refuge of the incompetent." -- Isaac Asimov
"Never let your sense of morals prevent you from doing what is right." -- Isaac Asimov
Neither a despot, nor a doormat, be
Every app wants to be a database app when it grows up