I would like the bots to not crack weak password-protected accounts. (for example, this happened with ebay and other major sites)
So, I set the (mem-) cached value with ip, the number of retries and the last timestamp (memcache-fall-out).
But what about bots trying to open any account with a single password. For example, the bot tries all 500,000 Useraccounts with the password "password123". Maybe 10 will open.
So, my attempt was to simply cache ip using attempts and set max-try to ~ 50. I will delete it after successful login. This way, a good bot will simply log in with a valid account every 49 attempts to reset the lock.
Is there any way to do this right? What to do with large platforms? What can I do to prevent idiots from blocking all proxy users with retrying 50 times?
If there is no best practice - does this mean that any platform is brute force? At least with a hint when resetting counters?
source
share