Account lockout implementation

Asked Oct 05 '20 at 13:00

Active Oct 05 '20 at 13:10

Viewed 438 times

I think about what is the best practice of implementing account lockout, when user attpemt to login more than X times in Y duration (and fails).

Should I block the IP address that trying to login and keep it in my db? or to lock the "username" that attempt to login? or the implementation needs to be in the browser as a flag (like cookie, local / session storage) that would prevent the request at all?

Would love to get your suggestions.

Eliran.

asked Oct 05 '20 at 13:00

Eliran Suisa

2

Locking the user account gives any random attacker the power to disable user accounts. Bad. Any real attacker discards cookies/local storage. Useless. – deceze Oct 05 '20 at 13:06
1

https://www.npmjs.com/package/express-rate-limit this package will help you to limit the request frequency – siddhant sankhe Oct 05 '20 at 13:08

Account lockout implementation

0 Answers0