CodingForums.com - View Single Post

felgall · 01-30-2013, 06:35 PM

On the sites where I require logins I don't lock accounts after any number of wrong passwords. Instead I lock the account for 15 seconds after any wrong password or attempt to login while the account is locked. That way the real owner isn't inconvenienced by their account being locked by someone else trying to break in and locking their account and any brute force attack will either fail completely if they don't guess right first go or if they do build in sufficient delay between attempts it will likely take many millions of years before they get to the right password (but I wouldn't expect them to build in such a delay which means that only their first guess is even considered).

01-30-2013, 06:35 PM	PM User \| #3
felgall Master Coder Join Date: Sep 2005 Location: Sydney, Australia Posts: 5,447 Thanks: 0 Thanked 496 Times in 488 Posts	On the sites where I require logins I don't lock accounts after any number of wrong passwords. Instead I lock the account for 15 seconds after any wrong password or attempt to login while the account is locked. That way the real owner isn't inconvenienced by their account being locked by someone else trying to break in and locking their account and any brute force attack will either fail completely if they don't guess right first go or if they do build in sufficient delay between attempts it will likely take many millions of years before they get to the right password (but I wouldn't expect them to build in such a delay which means that only their first guess is even considered). __________________ Stephen Learn Modern JavaScript - http://javascriptexample.net/ Helping others to solve their computer problem at http://www.felgall.com/