Limiting user login attempts in PHP

user80276 picture user80276 · Mar 25, 2009 · Viewed 13.7k times · Source

I've seen web apps with limitations for user login attempts.

Is it a security necessity and, if so, why?

For example: you had three failed login attempts, let's try again in 10 minutes!!

Answer

scunliffe picture scunliffe · Mar 25, 2009

I saw a creative approach to this once...

For each login attempt, that fails, the lockout time increases... exponentially.

attempt | lockout time
======================
   1    |     2s
   2    |     4s
   3    |     8s
   4    |    16s
   5    |    32s
   6    |    64s
   7    |   128s
   8    |   256s
   9    |   512s
  10    |  1024s

In theory, it lets user make a mistake or two, but as soon as it appears to become a "hacking" attempt, the hacker gets locked out for longer and longer time periods.

I haven't used this myself (yet), but conceptually I quite like the idea. Of course on successful login, the counter is reset.