Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most really strong systems lock an account after a couple of incorrect guesses. I assume this is all for systems that may not be secured to prevent brute force.


Locking the account is the wrong way to go about it since it makes DoS on known accounts trivial.

Blocking the IP or an increasing time between tries is, afaik, the "right way".




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: