Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
My method is currently to If the user credentials are wrong I do log an attempt but If the recaptcha (that is displayed after three failed attempts) are wrong, I do not.
When at 3 attempts failure I display reCaptcha
When at 5 attempts failure I lock the ip adress (15 minutes)
Or, well. I have set every attempt to last for 15 minutes.
What I am concern about is If I should delete the attempts that were made when success, or If I shouldn’t? (After all is approximately 15 minutes)
Depends on your security needs and policies. But consider that even though someone’s “logged in”, if the login was actually part of a distributed effort to break into the account, that other nodes in the distributed login effort might still be attempting other passwords. Should the account get locked out if there’s still other failed attempts, even though someone actually managed to get in?