No I mean when a specific user has a failed login attempt that user has to wait 5-30 seconds before being able to try again. A legitimate user would only be affected if a bot is trying to log in as them.
That’s account lockouts, it doesn’t work against bots because they can just try a million accounts instead of a million passwords on one account and it makes it super easy to do a denial of service on an account, and it doesn’t prevent a denial of service against the server that has to service all these login attempts that might very well involve running hashes designed to be computationally intensive, like PBKDF2.
This is not a novel measure, rest assured that the people that choose to implement captcha instead are aware of its existence and chose for the captcha instead.
If you block all logins for 5 seconds after a bot attempts to login, and the bot attempts to login 50 times per second, no one will be able to login.
I understand the confusion now.
No I mean when a specific user has a failed login attempt that user has to wait 5-30 seconds before being able to try again. A legitimate user would only be affected if a bot is trying to log in as them.
That’s account lockouts, it doesn’t work against bots because they can just try a million accounts instead of a million passwords on one account and it makes it super easy to do a denial of service on an account, and it doesn’t prevent a denial of service against the server that has to service all these login attempts that might very well involve running hashes designed to be computationally intensive, like PBKDF2.
This is not a novel measure, rest assured that the people that choose to implement captcha instead are aware of its existence and chose for the captcha instead.