I’m trying to write an improved password reset function for one of our public facing websites and in addition to a better captcha I wanted to flag a username that attempts to login w/ no success x amount of times in under y minutes. The first thought was to have a database that logs each attempt and then after the max amount of attempts in the time – we simply lock the account until a phone call is recieved from the employee’s manager to reset it.
What is a better approach that doesn’t require persistence via SQL. (Cookie/something else?) If one does not exist, how can I do this with a cleaner approach? for some reason my brain is full today
Check this answer about Throttling them.
Throttling login attempts
Jeff Atwood has an interesting blog post about the subject in case you’re curious.
http://www.codinghorror.com/blog/archives/001206.html
Storing them in a database can get tedious, and you will end up worrying about flooding your table with failed login attempts. Also, storing something on the user’s machine that controls this is also tricky because they have control over all of the files on their machine, and they could easily reset your failed login counter, or worse, send you faulty/malicious data back.