i’d like to prevent bots from hacking weak password-protected accounts. (e.g. this happend to ebay and other big sites)

So i’ll set a (mem-) cached value with the ip, amount of tries and timestamp of last try (memcache-fall-out).

But what about bots trying to open any account with just one password. For example, the bot tries all 500.000 Useraccounts with the password ‘password123’. Maybe 10 will open.

So my attempt was to just cache the ip with tries and set max-tries to ~50. The i would delete it after a successful login. So the good-bot would just login with a valid account every 49 tries to reset the lock.

Is there any way to do it right? What do big platforms do about this? What can i do to prevent idiots from blocking all users on a proxy with retrying 50 times?

If there is no best practice – does this mean any platform is brute-forceable? At least with a hint on when counters are resetted?