i trying figure out how fight brute force attack on website. based on research have done top answers account lockout & captcha.
if lock out user denying them service x amount of time. means if attacker attack 10 different accounts lock them all. when time lock them again. can keep @ , keep users locked out indefinitely. users can contact me 10 tickets have deal , i'd rather avoid work if possible. failing understand how useful? attacker might not account cause me , users lot of grief.
how combat this? ip banning seems pointless can changed easy.
don't display user id used log in publicly. have separate display id. example, might log in email address , choose different name display. if attacker doesn't have user id can't make repeated login attempts , lock user out.
