Originally Posted by Fou-Lu
This is very practical; a per basis flood control. Slows down brute, minimal interruption to legit. If you run a posting type system, you can actually make use of the IP only to the sense that if the IP has been used in the past for posting, that chances are somewhat high that the user is legit and simply keyed in wrong. You can reduce flood controls for such situation to like 5 seconds which is about the time for them to read the message and try again.
I also implement temporary account lockouts though. I time them variably, but default would be set for 5 minutes. After three such attempts (of 5 or so attempts, so say 15 fails in total), I permanently lock the account, and send an email to the registered account with unlocking procedures to follow. This way they don't have to wait for me to unlock them.
If the user's anything like I am, and I'm quite patient in attempts, after about 5 or 6 failed attempts, I then run password reset procedures sine I've obviously forgotten my password by this point. So make sure you create a password reset mechanism as well.
So having a 15 minutes is a little to much then.
I have a forgot password function which generates a random 10 letter and number string for the first login and then prompts the user to change the password before he/she can do anything else when in the account.
Do you guys know any hackers who when ive finished can test my site for issues so that i can make sure that others cant take advantage of them?