undefined | Better HN

0 pointshombre_fatal6y ago0 comments

So I can lock you out of your account with 3 attempts from any IP address?

0 comments

For a minute usually. Prevents flooding. Not a bad approach unless the account is constantly hit. In those cases two factor auth makes sense.

DownGoat6y ago

This is obviously a bad idea. It costs nothing for an attacker to send 3 http requests, every minute, every hour, all day. They could lock your account basically forever. IP filtering and locking accounts are terrible ways of preventing password spraying.

j / k navigate · click thread line to collapse

0 comments

wolco6y ago

For a minute usually. Prevents flooding. Not a bad approach unless the account is constantly hit. In those cases two factor auth makes sense.

DownGoat6y ago

j / k navigate · click thread line to collapse