I notice that account lockout status is not reset when a password is reset. This allows an attacker to execute a denial-of-service attack against anyone whose username or email address he knows. Given that usernames are public information on this forum, all the attacker has to do is choose a username from https://www.howtoforge.com/community/members/ and purposely fail several logins in that user's name, and the user will be unable to access his account until the timeout period expires. Needless to say, this can be done in an automated capacity, if the attacker wishes to be particularly annoying. Am I assessing the situation correctly? Or is there some non-obvious mechanism to prevent this type of abuse? Thanks for any insight!
I haven't developed the Xenforo Forum software, so I can't say for sure which exact mechanism they use. But Xenforo is a widely used software on large forums, so there are probably no frequent problems with that.
Thanks for taking a look, Till. Shall I test it? I'll fail login with your account several times and we'll see if you're still able to login. Presumably, any throttling is IP-specific, so this shouldn't lock you out, in theory...
Okay, I just tried to lock you out by failing 5 times. Are you still able to log out and back in? And if not, are you able to reset your password?