blocking login after X failed attempts

Question

I'm trying to block login for x minutes after y failed attempts. I'm already planning to log user logins, so I guess I could use the same database to calculate if blocking needs to happen.

My questions:

• does it make sense to use the same logs table to run the logic of the y failed attempts blocking?
• Some people have a table just for the failed attempts, and I heard they just increment the # of failed logins. This doesn't make sense since all they store is the number of failed attempts, not within what time period. 3 failed attempts in 10 minutes is not the same as 3 failed attempts in 3 days. Does the time span matter? Do you block after x failed attempts, period, or x failed attempts within a y time interval. And what's the best time frame for this?
• can someone clarify the best practice approach to this?

Answer 1

You need what's called a Password Attempt Window.

Basically 2 fields in the database, one LastPasswordAttempt (datetime) and PasswordAttemptCount (int)

Then on each login, check when the last LastPasswordAttempt occured and if it has been in the last say 10 minutes - increment the PasswordAttemptCount, otherwise reset it to 0 (or 1 because they've just failed).

In the same logic, check whether PasswordAttemptCount is equal to say 5 or more, if it is - deny the user access. You could have a 3rd field which locks them out for a few hours or a day.

i.e. CanLoginAfter(datetime) which you can set to a day from the last password attempt.

Hope this helps