[prairiedock]

Can anyone explain why all authentication systems don't enforce a (say) 2-second delay on repeated password attempts? Wouldn't this solve nearly all insufficient entropy problems?

Even a 5-character password should suffice in this situation, and a human user would never even notice the 2-second delay. How would malevolent password-crackers get around this?

[willvarfar]

Its hard to do at application level, because you might have a multi-thread or multi-server setup.

Luckily, there's out-of-the-box solutions that are easy to set up, e.g. Fail2ban.

Fail2ban scans your server logs, spots repeat login attempts, and sets up a temporary iptables ban on their IP.

[codelitt]

I really like Fail2ban for SSH lockdowns, but I worry about using it for repeat login attempts on an application. Depending on the application, this could possibly lock out everyone in an office, campus, etc. For certain critical services being used by everyone, this could cause a fair amount of headache.

[MarkMc]

Even with a delay of 2 seconds, I can check your password against the most-common 10,000 passwords list in 6 hours.

And I can run the check in parallel. So if I have 1,000 email addresses I can find all the users with low-entropy passwords in just 6 hours.

[sillysaurus3]

The most common 5-character password is 12345. Users will definitely use that if you let them.

Also anyone who swipes the server's DB would have an easier time cracking the hashes, even if you use bcrypt/scrypt.

[nmat]

The main problem is not the response time of http requests. Is when you are hacked and the database is leaked and becomes avaliable for anyone to brute force it at any speed they want.