Throttling login attempts

Question

(This is in principal a language-agnostic question, though in my case I am using ASP.NET 3.5)

I am using the standard ASP.NET login control and would like to impleme

Answer 1

I think you'll need to keep the count outside the session - otherwise the trivial attack is to clear cookies before each login attempt.

Otherwise a count and lock-out is reasonable - although an easier solution might be to have a doubling-timeout between each login failure. i.e. 2 seconds after first login attempt, 4 seconds after next, 8 etc.

You implement the timeout by refusing logins in the timeout period - even if the user gives the correct password - just reply with human readable text saying that the account is locked-out.

Also monitor for same ip/different user and same user/different ip.