I've been doing some research on security and it seems like hashing/salting
passwords is a good idea - but still not really all that secure against
dictionary attacks (the salt just makes the hacker run their dictionary
against every single account - not much of a challenge for a competent
hacker)
Just wondering what value would be added by adding some column to the
database to record failed login attempts. The idea would be that the column
holds an integer value that gets incremented on every failed login attempt.
Then when it reaches some arbitrary value (say 10 failed attempts), that
particular account gets "locked" out (i.e., the validation logic would not
even try to validate the user after 10 failed attempts) and the user is
informed that they need to jump through some hoops in order to unlock the
account (call tech support or whatever). Also, this counter for failed login
attempts would get reset to zero on every successful login attempt.
Is doing something like this a good idea? Bad idea?