|
Any guest can get the names of members to try. It would not be necessary to use a bot and the limited number of attempts so far reported does not suggest a bot attack.
One feature of vBulletin is the fact that you get only 5 wrong login attempts before you are locked out and sent an email which you have to use to get back in. Therefore, a bruteforcer would get only 5 guesses before no further attempts on that username would be permitted, at least until the holder of the email account logs into the email account and clicks on the link provided. Even then the attacker would only get another 5 attempts before another lockout would occur.
So the attack requires both the username and userpassword to access one's account and if the email password is NOT the same as the userpassword here, then the security is that much more difficult to break. Using proper password protocols, such as combinations of uppercase and lowercase and alphanumeric letters and/or symbols would also increase that security. Forewarned is forearmed. This is also one of the reasons why changing passwords from time to time is required. Without your email password, an attacker is at a disadvantage, even if they guess your Forum login password.
Regards,
__________________
JMI
|