Brute force attack failsafe login in asp.net
I just read an article saying that passwords with 7 characters are no longer safe. However, if the server increases the time to retry a login attempt after each login attempt, then brute force attacks are useless. How do you create such logic in asp.net? Somehow I guess the server side code needs to remember the ip-address that tried to login and should increase the response time with each new try?
Answer
IP address isn't really a secure method of identifying the user. You could try storing the last time a login attempt was submitted in a cookie, but if the browser doesn't accept them, it'll be of limited use. Session variables also require cookies, so they're out.
Some sites (yahoo comes to mind) start showing a Captcha form after the third or so attempt. You have to correctly answer the captcha in addition to your login details.
Another option would be to disable an account after X failed attempts (which can be tracked in your database), but I personally dislike this as it tends to force me to call someone to get my password reset whenever I forget one.