SStandard lockout after three fails i 15 minutes.�
Howzbout:
a quarter second lockout after a fail;
double that for each subsequent fail.
Three tries to get it right will not be inconvenienced.
But, by 32 tries, it's up to a billion seconds.
On Tue, 8 Jan 2019, Jon Elson wrote:
IP's view. I set the rules very strictly, so that after 3 login failures
over a 2 month span, that IP was blocked for a year.
3 failures is not enough for some legitimate human failings.
I occasionally will forget a password, and make 4 or 5 tries; and then, a
few days later, remember it.
So, I MUCH prefer the concept of a logarithmically increasing lockout,
starting small.
Maybe as little as a millisecond, to permit a REASONABLE number of "maybe
it was...", but thoroughly block brute force and dictionary/list attempts.
about two dozen tries would give that year.
