frost110 wrote:You could also make it after 5 tries it locks that username for 30 minutes.
That is true but also harmful to actually users, because 1, it is not entirely friendly to people who forget their login (nowdays we have do many logins, unless you use a site every single day, it is easy to forget), and 2, you are really trading one type of attack (dictionary) for another (DOS). Locking accounts, it is really easy for a malicious user to deny someone access to their account. All they have to know is the user name, (lockout time frame would be nice but not necessary to know), and they could perpetually keep someone locked out of their account.
At least, IMO, trading one vulnerability for another (easier to execute I might add) is not really that good of a solution. Which is why I mention pausing the script, because this makes dictionary attacks expensive to perform, without adversely impacting actual users.
There are also other things one can do to help prevent dictionary attacks, such as salting passwords and requiring passwords to be combinations of letters and numbers.
