Connecting Tech Pros Worldwide Help | Site Map
bytes > topic > software development > answers

Security Best Practice on failed login attempts

Newbie
  
Join Date: Sep 2009
Posts: 3
#1: Oct 12 '09
Hi,
I am designing a login mechanism for a website. Presently, I am blocking the user account for 1 hour if there are 3 failed login attempts with-in 1 hour.
However, I want to know if there is any best practice that can be followed on failed login attempts.
Any help would be greatly helpful.
Thanks,
Dharmesh
RedSon's Avatar
Site Moderator
  
Join Date: Jan 2007
Location: America
Posts: 3,387
#2: 4 Weeks Ago

re: Security Best Practice on failed login attempts

Blocking someone access for an hour after 3 log in attempts is one way you can prevent DOS attacks, and also make it more difficult for a person to try dictionary based attacks.

Another way to do it is to add a CAPTCHA to the log in page to confirm that it's not a script that is attempting to log in.

Some websites lock accounts completely after 3-5 failed attempts while others use things like RSA SecurID.

There are several things that can be done. You should determine which one is going to work the best for your situation.
Reply

« previous question | next question »

Similar Software Development bytes

/bytes/development

/bytes/it

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,272 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved