Anti Brute-Force

[LTDNorb]

Quote from the announcement:

At 3 pm, I was notified of the breach. Being rather surprised by the situation and trying to figure out what happened, things didn't look good. Half an hour later, I contacted uakf.b informing him about the breach and we have taken measures to counter the "hack" (which, in fact, was just a mere brute-force of a forum user's password; how exactly he got the user's password is unknown to us though).

I don't quite understand the red-highlighted part in combination with the blue-highlighted part, as it explains how the password was stolen.

As a general suggestion, I wanted to bring up to disable an account after 3-5 consecutive failed attempts. E-Mail with unlock-link would be generated, to ensure that the person with the right E-Mail can unlock the account. Maybe even send an E-Mail for each failed attempt, in case someone tries to 'hack' it bit by bit.

Edit: Or maybe just for Staff Members if the rest could cause too much hassle/confusion?

[aRt)Y]

@LTDNorb phpbb blocks login attempts after 3 or 5 times by default and temp. bans the IP. Therefore, casually brute-forcing it is not possible. However, an attacker could use proxies any time and circumvent this. (Unless phpbb blocks the logins for the account itself rather than IP, then never mind).

Anyhow, the staff member has been informed to change his passwords (as it might have been stolen on other sites ("phishing")).

We already considered two factor auth. but given ENT does no longer implement technical things, we did not proceed. The staff dept's accounts have been changed to be non-delete-able/non-alter-able. Plus, staff members will no longer have ACP access.

We might re-consider the forum extension though.