Limiting Login Attemps

One common way to reduce the likelihood of an account getting hacked is to limit the number of login attempts and lock the account once the number of failed logins reaches some threshold.

This is a reasonable way to prevent brute-force, and even most dictionary attacks. The problem is that most implementations count each and every login attempt. When someone forgets their password or types it in incorrectly, they usually try again a few times.

If you limit the number of attempts, it should detect if the passwords are the same (or possibly even similar) since they are obviously not an attack, but rather the user wondering why their password isn’t working (for example, they may be typing in the password for a different account).

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + 7 =