>Three people - Kevin Goff, Victor Anderson and John Baird - have reported that their account passwords recently "stopped working" and had to be manually reset. None of them seem to know of any reason why this might have happened.
>
>It's common practice to set a lockout policy on user accounts. Typically this comes into effect if there are more than X unsuccessful logon attempts. If the user name is valid, then the passwords are incorrect, which usually means a hack attempt.
>
>Can you tell us:
>
>- if you have implemented an account lockout policy like this
>- if IP address(es) of failed logon attempts are logged
>- if you take any actions in the event of an account lockout, such as blocking the IP of the failing logons or cross-referencing the IP to those of other members
>- if you notify (e.g. via e-mail) the account holder, that a hack attempt has occurred
>
>I believe members locked out due to a hack attack should be notified. Some people do not use strong passwords; a notification may prompt them to strengthen theirs.
>
>Also, if Kevin's recent banning was preceded by a hack attempt, Victor and John may have some cause for concern.
Noted.
Thanks, I will work on some of that soon.
