moderated Re: Limit Number of Unsuccessful Logins #suggestion


Rick Smith
 

If there’s to be a hard limit on attempts, I’d recommend something between 10 and 20. If it’s lower, it penalizes those who rarely log in but actually try to remember a password for this particular site.

NIST’s latest password recommendation is a bit more sophisticated: no hard limit on attempts, but the account suffers an increasing delay between logins.

FWIW I wrote a book on this 20 years ago, and my cybersecurity textbook is in its 3rd edition. This doesn’t guarantee I’m right, but I’ve dealt with this question a bit.

Rick Smith.

Join main@beta.groups.io to automatically receive all group messages.