Question about Login Security Settings

**yuri** · 2026-06-24T10:46:36+00:00

Hi Tomas,

'authUsernameFailedAttemptsDelay' is a delay in seconds before the response is returned. Fired only if the attempts number exceeds the limit (authMaxUsernameFailedAttemptNumber) within the time period (authUsernameFailedAttemptsPeriod). It helps preventing brute force attacks. Ignored for known IP addresses (a user under the same IP address logged in before), to minimize intentional account locking.

**ThomasB** · 2026-06-24T10:54:08+00:00

Hm, ok. This makes testing a bit more difficult with the known IP.

But my question remains: Do I have to set authUsernameFailedAttemptsPeriod or has it a default, if not set?

My assumption was that I could block users from login again, after x numbers of failed attempts for x minutes

**yuri** · 2026-06-24T11:14:43+00:00

It works the way I described in my previous post. It does not block but produces a delay. The response returned with a delay.

**yuri** · 2026-06-24T11:21:27+00:00

There's also another mechanism preventing brute force for an IP address.

Parameters for both are available in docs: https://docs.espocrm.com/administrat...for-ip-address

We don't have a mechanism to block the user completely. We intentionally didn't add such a feature.

**ThomasB** · 2026-06-24T11:27:47+00:00

Yes, I know the page.
You can only use one or the other method I think? And not both at the same time.

**yuri** · 2026-06-24T11:33:20+00:00

Both can function at the same time, they are implemented as hooks. While the first one is always on, the second is enabled with 'authUsernameFailedAttemptsLimitEnabled'.

Question about Login Security Settings

Question about Login Security Settings

Comment

Comment

Comment

Comment

Comment

Comment