I'm looking for advice on a good compromise between ease of use for my members and security. For instance:
1. Some web sites will actually lock a user's account after 5 failed login attempts and they won't be able to use it again until they request an unlock via email or phone or something. I think this is too extreme for my web service's security requirements. 2. Other sites display a captcha after a certain number of failed attempts. I'm not terribly fond of captcha's, but I suppose I could go that route. 3. Perhaps some sort of delay would work. If 5 login attempts have failed, then that username can't login for 10 minutes or something like that. I'm leaning toward this, but am worried if it still would allow easy abuse. I don't believe Shiro has a way to track the number of login attempts per username, the time since the last login attempt, or anything else like this. Or does it and I've missed it? It seems like this would be useful to have as a Shiro feature. Also, it would be really handy if the AuthenticationException contained this information. I'd like to be able to grab from the exception the number of login attempts that were made on this username, the length of time since the last attempt, or any other details that could be useful. This way I could return information to my UI that says "You have 3 more attempts" or "Too many login attempts, please try again in 5 minutes." Any suggestions on secure but practical approaches to solve this? Thanks, Tauren
