What, the "throttle" code? I haven't read the book either, but I think you might have copied the code without understanding the context in which it should be used (and that is VERY important, let me tell you)andym01480 wrote:I got that from Chris Shifflet's book!
In addition, preventing multiple logins from one account too often is of limited use:
- The attacker can just try other accounts while waiting for the first to let him try again
- Without proper logging and alarm rings, you just slow the attacker by a fixed factor, you don't really prevent anything
- It's hard to provide bruteforce protection while not giving the attacker the opportunity for DOS. A couple of lines of code certainly won't do.
In short, you need to understand all attack scenarios and then implement a system, otherwise you end up avoiding one thing and opening the door for another.