Sunday 8 April 2012

Adding a delay to prevent brute force user and password attacks

One of the OWASP projects I really like is AppSensor and I'm trying to find a way to integrate its concepts into TeamMentor.

So to kickstart this process, I just added a small delay to the login check (see this commit for the details)

I was playing around with the timings and I felt that 500ms was a good amount.

1000ms (1s) felt too much of a delay, and was affecting the user experience.

In principle, this simple 500ms should make a difference in an attacker's ability to brute force TM account details (username and password)