Like I was suggesting earlier, it all depends on how many security layers you want to implement. Sure, you could use captcha, log failed attempts, etc, but you have to decide where usability meets security.The Ninja Space Goat wrote:What do you use to prevent brute-force attacks, jcart?
In programs I write to be as secure as possible, I would most definitely use a captcha because it will eliminate (hopefully) the possibility of robots as well as slow down the process of hired goons to manually try and gain access. In the mean time, I would be logging everything that happens, and an admin would typically be alerted in some fashion (SMS, email, etc) to take action on the account to take action on the account. Otherwise, if an admin hasn't taken on a flagged account, some intervention would take place (limited account access, lock account, whatever)
If you salt your passwords, connect using SSL, and enforce strong passwords brute forces are pretty much useless considering the amount of time it takes versus being discovered (assuming your actively monitor things).