0

I have used the script from "batch file which asks for username/password + registration" (topic already in stackoverflow)... here's my question: Is there any way that i could add a lockout to a batch-file or execute a shutdown command after 5 incorrect attempts? (the timeout at the bottom is for 24 hours) Example Situation: Username: bobTESTattempt1 Password: 1234 [enter] Password is incorrect 4 attempts remaining!

(the next 3 attempts are used)

Username: bobTestattempt5 Password 123342 [enter] Password is incorrect 0 attempts remaining! [enter]

ACCOUNT LOCKED OUT TIMEOUT 86400

NRITNS-Michael
  • 3
  • 1
  • 2
  • 4
    There is an obvious problem with this solution. The user can use `Ctrl+C` or `Ctrl+Break` to exit a batch file at any time, and re-start it. Any counter would then be reset. So after the first lockout at 5 tries, the user can try 4 times, hit `Ctrl+C`, and re-start the batch file for 4 more tries, and repeat as many times as they want. – Ken White Sep 13 '12 at 02:44
  • Another issue would be that the batch file would require access to the plaintext password, meaning that your plaintext password exists in a file or variable for anyone to find. A very poor security practice. – James K Sep 17 '12 at 11:18
  • You used to be able to use the `BREAK OFF` command to at least shut off the users ability to use `CTRL+C`, but that's been changed long ago. Anymore the `BREAK` command is just there to prevent ancient DOS batch files from throwing errors. Under DOS you could solve this problem by using `BREAK OFF` and hiding both your batch file and data files. Then the average user might still break out with `CTRL+BREAK`, but wouldn't know the name of the file to run or to peek into. `*pining for the good-old-days*` – James K Sep 17 '12 at 11:23
  • Ah! i see your point on the password file encryption, way ahead of you... when you first set your username & password the system & hidden attribute is added... i figured out that even though it is hidden, the login script can still "see" it. if need be, i have a separate encryption program that can add extra security... but if someone is able to "break" through the encryption... it won't matter, because this script isn't protecting my credit card ## -- it's just another way that i came up with to access my router settings. – NRITNS-Michael Sep 17 '12 at 14:08
  • @NRITNS-Michael - It seems to me that a lot of people automatically turn on the "see hidden files" option whenever they setup a fresh install for themselves, making hiding files pretty much a pointless gesture. (Or maybe it's just me projecting my own actions onto others.) – James K Sep 17 '12 at 18:10

1 Answers1

0

Here you go

@echo off
set counter=5
:CREDS
cls
if %counter% equ 0 goto :LOCKOUT
if %counter% lss 5 echo Password incorrect, %counter% attempts left
set /p un=Enter your username:
set /p pw=Enter your password:
if %un%==correctusername (
if %pw%==correctpassword goto :ALLOK
)
goto :WRONG

:WRONG
set /a counter-=1
goto :CREDS

:ALLOK
echo Creds ok, do whatever
pause >nul
exit >nul

:LOCKOUT
echo ACCOUNT LOCKED OUT TIMEOUT 86400
timeout /t 86400
goto :CREDS
Bali C
  • 30,582
  • 35
  • 123
  • 152