|
|
|
|
|
|
by zkhalique
3934 days ago
|
|
|
Either way, how are you going to rate-limit failed logins while at the same time not allowing a DDOS of a user login? If I am using a botnet to keep trying passwords for Sarah Palin, how are you going to know when the real Sarah Palin logs in from a new computer? Sarah Palin will never be able to log in again from a new computer, unless she uses a key from her old one. |
|
|
At some point you have to accept that administrators will need to do some work, and if 200 IPs are trying to log into the same account 5 times every 15 minutes you should probably email the user and lock the account.