I’ve seen web apps with limitations for user login attempts.
Is it a security necessity and, if so, why?
For example: you had three failed login attempts, let’s try again in 10 minutes!!
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve seen web apps with limitations for user login attempts.
Is it a security necessity and, if so, why?
For example: you had three failed login attempts, let’s try again in 10 minutes!!
Clarification This is a completion to the other answers. Using a good implemented captcha alongside an anti-bruteforce mechanism using sessions for example.
The questioner marked this as accepted assuming that captchas are unreadable by machines (she’s almost right) and so it’s getting negative points, because people think it’s not a complete answer & they’re right.
Also using a good implemented CAPTCHA could be an alternative way to enpower your application security against brute-force attacks. there’s a wide variety of captcha providers available for free, let’s try the easy way if you’re in a hurry. Also please consider that there’s people outta here saying that "oh, no! this captcha thing is not secure enough and they’re right sometimes!".