for my and overall understanding:
for every account veeadmin and veeamso (and all others created afterwards), as soon as there are 3 incorrect logins, the accounts get locked out!?
so either you can reset them, for veeamso apparently this works with the recovery code, resulting in resetting the password, creating a new MFA Token and getting a new recovery code?
or going down the live OS ISO route...
EDIT: clearly this is also a lack of experience (and/or ignorance) from my side... i just read and saw that you can also unlock, EVEN the veeamso user out of the veeam host management, as long as you can login there with a host admin user! so this also alleviates my concerns of the following sentences.
I'm not sure if this is really a good approach... on one side this will cause plenty of support-cases because it could be multiple reasons to have the passwords incorrect 3 times in a row... even more if you're working with different Veeam appliances (I just talk out of experience, right now!) its very easy to get the incorrect password and keyboard layout is another big error here
either the lockout count should be upped to a higher number or there should be an automatic account unlock after 10 or 15 minutes... und once this has been hit 3 times, for example, the accounts should get locked longer or permanent...
and more over as a attacker you could also trigger some issues with locking these accounts by simply giving some random logins..
the biggest issue though there is no single reporting this is happening, either "stupidity" or a bad actor... the admins never get this until they try to sign in and don't know what's going on, brings me to the next issue.. the failure message is exactly the same. " Authentication failed." i get it, might be hard to implement. but i would opt-in for another message as soon as the account is locked... overall this brings me back to this will raise cases on Veeam's-end immensely!
i fully understand the security concerns and why this all maters!
just said resetting these accounts, as explained above with the veeamso directly results in the next potential issue that the old account gets invalidated with new password/totp that directly can result in the next lock....
this is just my personal two cents but I'm sure I am not alone with these thoughts!
for every account veeadmin and veeamso (and all others created afterwards), as soon as there are 3 incorrect logins, the accounts get locked out!?
so either you can reset them, for veeamso apparently this works with the recovery code, resulting in resetting the password, creating a new MFA Token and getting a new recovery code?
or going down the live OS ISO route...
EDIT: clearly this is also a lack of experience (and/or ignorance) from my side... i just read and saw that you can also unlock, EVEN the veeamso user out of the veeam host management, as long as you can login there with a host admin user! so this also alleviates my concerns of the following sentences.
I'm not sure if this is really a good approach... on one side this will cause plenty of support-cases because it could be multiple reasons to have the passwords incorrect 3 times in a row... even more if you're working with different Veeam appliances (I just talk out of experience, right now!) its very easy to get the incorrect password and keyboard layout is another big error here
either the lockout count should be upped to a higher number or there should be an automatic account unlock after 10 or 15 minutes... und once this has been hit 3 times, for example, the accounts should get locked longer or permanent...
and more over as a attacker you could also trigger some issues with locking these accounts by simply giving some random logins..
the biggest issue though there is no single reporting this is happening, either "stupidity" or a bad actor... the admins never get this until they try to sign in and don't know what's going on, brings me to the next issue.. the failure message is exactly the same. " Authentication failed." i get it, might be hard to implement. but i would opt-in for another message as soon as the account is locked... overall this brings me back to this will raise cases on Veeam's-end immensely!
i fully understand the security concerns and why this all maters!
just said resetting these accounts, as explained above with the veeamso directly results in the next potential issue that the old account gets invalidated with new password/totp that directly can result in the next lock....
this is just my personal two cents but I'm sure I am not alone with these thoughts!
Statistics: Posted by DaStivi — Oct 16, 2025 7:32 am
![Madonna – Who’s That Girl (1987/2020) [FLAC 24bit/192kHz]](http://imghd.xyz/images/2023/06/08/0093624951148_6004dceff9e1db710a9.jpg)
