Jeanne Boyarsky wrote:From the one factor thread:
Jim Manico wrote:Last, if you really do not want to implement it, then you need to consider "account lockout" to keep brute force attacks at bay. Account lockout CAN be used to Denial of Service your site so be careful.
This is the design we used to prevent brute force login attempts on this site. I'm curious what weaknesses there are in it. All I can think of is that if you can present a fake IP, you could still do denial of service for logins. Even that wouldn't affect users who were logged in or anonymous users. And it would have to be kept up hour after hour.
My concern for any kind of IP based blocking strategy is that sometimes you have thousands of users behind one IP address, like a large hotel, a large company or some ISP's. In these situations, failed logins from one IP may occur faster than expected.