Bogus "account hacked" message
Fred Cisin
cisin at xenosoft.com
Tue Jan 8 21:39:57 CST 2019
>>> SStandard lockout after three fails i 15 minutes.�
>> Howzbout:
>> a quarter second lockout after a fail;
>> double that for each subsequent fail.
>> Three tries to get it right will not be inconvenienced.
>> But, by 32 tries, it's up to a billion seconds.
On Tue, 8 Jan 2019, Jon Elson wrote:
> IP's view. I set the rules very strictly, so that after 3 login failures
> over a 2 month span, that IP was blocked for a year.
3 failures is not enough for some legitimate human failings.
I occasionally will forget a password, and make 4 or 5 tries; and then, a
few days later, remember it.
So, I MUCH prefer the concept of a logarithmically increasing lockout,
starting small.
Maybe as little as a millisecond, to permit a REASONABLE number of "maybe
it was...", but thoroughly block brute force and dictionary/list attempts.
about two dozen tries would give that year.
More information about the cctalk
mailing list