{"id":34323167,"user":"joshspankit","time":1673349754,"time_ago":"3 years ago","type":"comment","content":"

Why would you have to tell if they’re from one bot?","comments":[{"id":34323569,"user":"tinus_hn","time":1673352559,"time_ago":"3 years ago","type":"comment","content":"

Because you want to have delays between bot login attempts?","comments":[{"id":34325732,"user":"joshspankit","time":1673362493,"time_ago":"3 years ago","type":"comment","content":"

I think that’s overcomplicating it: Just do it site-wide for all login attempts (always on, or like the captcha: as-needed)","comments":[{"id":34331972,"user":"tinus_hn","time":1673387062,"time_ago":"3 years ago","type":"comment","content":"

So now in the case of a bot attack no one can login. That doesn’t work.","comments":[{"id":34332941,"user":"joshspankit","time":1673393231,"time_ago":"3 years ago","type":"comment","content":"

What do you mean?","comments":[{"id":34336727,"user":"tinus_hn","time":1673429826,"time_ago":"3 years ago","type":"comment","content":"

If you block all logins for 5 seconds after a bot attempts to login, and the bot attempts to login 50 times per second, no one will be able to login.","comments":[{"id":34337745,"user":"joshspankit","time":1673441007,"time_ago":"3 years ago","type":"comment","content":"

I understand the confusion now.

No I mean when a specific user has a failed login attempt that user has to wait 5-30 seconds before being able to try again. A legitimate user would only be affected if a bot is trying to log in as them.","comments":[{"id":34361788,"user":"tinus_hn","time":1673566312,"time_ago":"3 years ago","type":"comment","content":"

That’s account lockouts, it doesn’t work against bots because they can just try a million accounts instead of a million passwords on one account and it makes it super easy to do a denial of service on an account, and it doesn’t prevent a denial of service against the server that has to service all these login attempts that might very well involve running hashes designed to be computationally intensive, like PBKDF2.

This is not a novel measure, rest assured that the people that choose to implement captcha instead are aware of its existence and chose for the captcha instead.","comments":[],"comments_count":0,"level":6,"url":"item?id=34361788"}],"comments_count":1,"level":5,"url":"item?id=34337745"}],"comments_count":2,"level":4,"url":"item?id=34336727"}],"comments_count":3,"level":3,"url":"item?id=34332941"}],"comments_count":4,"level":2,"url":"item?id=34331972"}],"comments_count":5,"level":1,"url":"item?id=34325732"}],"comments_count":6,"level":0,"url":"item?id=34323569"}],"comments_count":7,"url":"item?id=34323167"}

Comment by joshspankit