
Ask HN: Why are brute force attacks allowed to work? - tomcam
I am a terrible sysadmin, so I&#x27;m sure I&#x27;m missing something obvious. But why are brute force attacks allowed to work? Why not just set a timer to double (or even merely increment) the number of seconds the attacker must wait after each failed attempt?<p>My only guess is that an IP address is not in fact a machine address, but a network address, which means that if someone at BigCo HQ is trying to log in from the same IP address that a virus-infected machine on the same network or subnet they aren&#x27;t supposed to get penalized. But I think MAC address, which are machine-specific, are available in the TCP&#x2F;IP packets, so why not use them?
======
tlb
MAC addresses of the source machine aren't available beyond the local network.

Many systems do have velocity limits. They're somewhat difficult to implement
and can have false positives, as you mention, for corporate gateways. An
article about an industrial-strength rate limiting system is at
[https://brandur.org/redis-cluster](https://brandur.org/redis-cluster).

------
greenyoda
A pretty common policy is to lock out an account after a few consecutive
failed login attempts.

