I was trying to build a more sophisticated lockout mechanism for a web application. I was thinking that it may be beneficial that when a user enters an invalid user ID and password 3 times, lock out the account with the invalid password and also lock out the IP address accessing the page (by IP lockout, I mean say for 5 or 10 minutes). Is this a not bad approach, because if someone is fishing for user ID's and passwords, I would want to slow them down after entry for some time.
What do you think, is this a good way of doing it, or are there better ways of doing it?
Thanks.
The first approach is default behaviour of embedded ASP.NET Membership, but the second one is not a very good idea cause changing the ip address by a vpn is not a problem for an attacker although most of real attacks will be done by multiple machines.
Another problem is that you ban an IP address that belongs to many machines in an ISP, or a LAN that was NATed by a single valid IP.
Putting a bot detector mechanism like captcha would be a better idea.