Account lockout is a basic mechanism which protects passwords against brute-force attacks. After each failed login attempt failed login counter is incremented by one. Once the counter reaches threshold (10 by default) the account is locked and all further login attempts (with valid password or not) in the next 15 minutes will result in login failure. The counter is reset after successful login or after a time period following last login attempt.
Threshold, lockout duration and reset counter period can be configured in the configuration file or using the web administration. The feature can also be disabled altogether by setting threshold value to 0.
Minor changes and fixes
- Confirmation dialog is shown when attempting to remove user (WA)
For a complete list of changes, see the release notes.