8 Jan
2019
8 Jan
'19
7:39 p.m.
>> SStandard lockout after three fails i 15
minutes.?
> Howzbout:
> a quarter second lockout after a fail;
> double that for each subsequent fail.
> Three tries to get it right will not be inconvenienced.
> But, by 32 tries, it's up to a billion seconds.
On Tue, 8 Jan 2019, Jon Elson wrote:
IP's view. I set the rules very strictly, so that
after 3 login failures
over a 2 month span, that IP was blocked for a year.
3 failures is not enough for some legitimate human failings.
I occasionally will forget a password, and make 4 or 5 tries; and then, a
few days later, remember it.
So, I MUCH prefer the concept of a logarithmically increasing lockout,
starting small.
Maybe as little as a millisecond, to permit a REASONABLE number of "maybe
it was...", but thoroughly block brute force and dictionary/list attempts.
about two dozen tries would give that year.