Slowing Down Abuse
Login endpoints attract brute force and credential stuffing, where attackers try many passwords or many stolen pairs. Rate limiting caps how many attempts a source may make in a window, and lockout disables an account after repeated failures. Both slow attackers, but each has a sharp edge.
Designing Policy That Holds Up
- Throttle on multiple keys, such as per account and per source address, since attackers spread attempts across many addresses.
- Prefer exponential backoff that adds delay after each failure, slowing guessing without a hard block.
- Be careful with hard lockout: an attacker can trigger it on purpose to cause a denial of service against real users.
- Combine throttling with multi factor authentication, which blocks stuffing even when a password is correct.
A subtle pitfall is the distributed attacker who uses thousands of addresses, defeating per source limits alone. Per account limits and reputation signals help, and a CAPTCHA after several failures raises cost without locking users out.
Key idea
Rate limiting and lockout slow brute force and credential stuffing, but hard lockouts invite denial of service and distributed attackers defeat per source limits, so combine per account throttling, backoff, challenges, and multi factor authentication.