Security suggestion: Why not block login after several false login attempts?



We know that all kinds of IT infrastructure is subject to brute force attacs - bots just trying billions of passwords till - by accidet - it finds the right one.

I wonder whether it wouldn't be a good thing to implement an algorithm which eg

  • blocks login after 3 false login attempts for one minute
  • then allows another 2 failed attempts and blocks login for 5 minutes
  • then allows one last failed attempt and then blocks it forever till action is taken - eg respond to an unlock instructions email, which may require to send an unlock key file, a master password - or whatever.

Numbers for the schedule above of course can vary - we could set up different security profiles from which the admin can choose.

I'd really like to know what security experts think about this thought.




this is already possible with e.g. fail2ban as seen in [1].

It makes no sense to implement such blocking in PHP as e.g. done by Nextcloud. This just brings a false sense of security. Such blocking needs to be done on OS layer and not on Application Layer within PHP for the reasons as e.g. described in [2]