8 Aug
2017
8 Aug
'17
5:12 a.m.
On Tue, Aug 08, 2017 at 01:41:06PM +1000, teor wrote:
Use an exponentially-increasing timeout for the next login every time a login fails for a user. (Some sites do it for failed logins per IP address, too, but that's silly, because open proxies.) This is equivalent to an automatically-resetting lockout, but requires the attacker to spend as much time as the lockout time setting it up.
This was certainly the first one that came to my mind.
Though actually, I don't think there's any particular reason it needs to be exponentially increasing. "0 seconds of delay for the first 4 attempts, then 60 seconds of delay for subsequent attempts" might do the trick nicely.
--Roger