I have a question about how EEM handles the incorrect password settings. We currently have the "Invalidate password after X attempts"set to 10.
The documentation states that "after a sequence of incorrect passwords, EE can disable the user's account". Does a "sequence" mean that the attempts have to be consecutive OR does it mean that it is cumulative and will invalidate whenever the 10th incorrect password is entered?
I believe it is not cumulative, but it appears to disable some people after a few incorrect attempts. Is there possibly a time period that it uses to accumulate them and then clears out after a certain period of time.
it's cumulative and will get synced around if the machine is able.
It clears the account after a successful login locally, which will get uploaded to EEM and back down to other machines etc.
what usually catches people out is userA tries a few times on machineA and locks their account, then userB logs into machineA - when it syncs, it uploads userA's guessing history to EEM, which sends it to all other machines when they sync.
At some point, userA goes and tries to login to machineB, and finds their account already locked, or locks after fewer attempts etc because when it last synced, there was some history for userA....