Login Brute-Force Protection
Discussions center on preventing brute-force attacks via rate-limiting, throttling failed login attempts, account lockouts, and related security measures like error messages and username enumeration prevention.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Why not just lock out a user after n failed login attempts?
This scenario is not realistic, as you can just lengthen time between subsequent login attempts per username.
Can someone school me in why we don't just throttle login attempts (each fail extends time to next attempt exponentially) and put an attempt cap that requires password reset?
did you at least put a responsible error message for all people with failed logins to mitigate the issue?
A pretty common policy is to lock out an account after a few consecutive failed login attempts.
You should rate-limit your logins anyway lest you want to end like Apple & Fappening.
Rate-limit after x failed logins on either source IP, username and password. Just provide a realworld sidechannel escape hatch for legitimate users (ex: phone or email). Barely anyone will actually use it.
I imagine it would make it harder for bots to brute-force login credentials.
Would this "fraud" detection be triggered by some unauthorized user trying their account password too many times or a more sophisticated attack?
The answer should be that it's a privacy leak! Do you allow random actors to brute force your login?