Quiz Entry - updated: 2026.07.14
What are the standard defenses against online password attacks?
Rate-limit attempts, lock accounts after too many failures, and require CAPTCHA after suspicious activity.
The common idea: make each guess costly for the attacker, so brute-force is infeasible at internet speeds.
| Defense | What it does | Trade-off |
|---|---|---|
| Rate-limit (per IP / per account) | Cap to e.g. 5 attempts per minute | Bypassable with botnets / residential proxies → combine with other signals |
| CAPTCHA after N failures | Force a human in the loop | UX cost; modern AI breaks weak CAPTCHAs |
| Account lockout after N failures | Temporary or permanent lock | Can be weaponised for DoS — attacker spams wrong passwords to lock victims out |
| Anomaly detection (geo, device, time) | Step up auth (2FA) on suspicious login | Needs telemetry & ML |
| 2FA / MFA | Even a stolen password isn't enough | UX friction; SMS 2FA is weak |
Lockout caveat: prefer temporary lockouts (e.g. 15 min, exponential backoff) over permanent ones, otherwise attackers DoS your users. Or count failures per IP, not per account.
Tip: Most modern guidance is "log + rate-limit + offer 2FA" rather than aggressive lockout. NIST SP 800-63B explicitly recommends throttling over lockout.