LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the standard defenses against online password attacks?

Rate-limit attempts, lock accounts after too many failures, and require CAPTCHA after suspicious activity.

The common idea: make each guess costly for the attacker, so brute-force is infeasible at internet speeds.

Defense What it does Trade-off
Rate-limit (per IP / per account) Cap to e.g. 5 attempts per minute Bypassable with botnets / residential proxies → combine with other signals
CAPTCHA after N failures Force a human in the loop UX cost; modern AI breaks weak CAPTCHAs
Account lockout after N failures Temporary or permanent lock Can be weaponised for DoS — attacker spams wrong passwords to lock victims out
Anomaly detection (geo, device, time) Step up auth (2FA) on suspicious login Needs telemetry & ML
2FA / MFA Even a stolen password isn't enough UX friction; SMS 2FA is weak

Lockout caveat: prefer temporary lockouts (e.g. 15 min, exponential backoff) over permanent ones, otherwise attackers DoS your users. Or count failures per IP, not per account.

Tip: Most modern guidance is "log + rate-limit + offer 2FA" rather than aggressive lockout. NIST SP 800-63B explicitly recommends throttling over lockout.

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jul 14, 2026