(no title)

http://www.splashdata.com/press/PR121023.htm

There's no reason why you would have a three attempts limit, or five, or ten, and so on. If I get three per account, I'll just use the top three and try again different accounts. If I get three attempts per IP, I'll use many different IPs and do the same.

To remain user friendly, delays are the way to go. E.g. you could have three different delays that add to each other: Account-level, IP-level and global. Increase each with every failed attempt up to 30 seconds of wait time, and add them together. This will slow down brute force attempts to the point where they're useless, while still allowing legitimate users to login (just with a little inconvenience).

As a result, if I failed three attempts with one account, and three one next, etc., my IP-level limit will prohibit me from moving on to other accounts. If I try a lot of passwords on one account, the account-level and IP-level ones will slow me down. And if there's a distributed attack with many IPs, the global delay will reduce the damage the attack can do. All the while legitimate users can still use the service.