< Don't choose long passwords

~kijetesantakalu

always bothered me when systems lock people out or wipe after a few wrong passwords. it usually ends up stopping people who actually have the account more than attackers. both attackers and people who don't have eidetic memory use the same technique anyway: "alright, so i know i have a couple of common passwords, so let's go through variations of them because i don't remember what i used here". if it's like, a bank account or the nuclear launch codes, i understand. but being locked out of a streaming account because i forgot which password the person who signed up for it used? very annoying

Write a reply

Replies

~alder wrote:

Even worse, it enables a new kind of malicious behavior: intentionally locking someone out of their own account/device.

A friendlier approach I've seen is to increase an enforced delay between password attempts, which disrupts an attacker's ability to brute force their way in without locking the account-holder out.