I am building a login where the client is obsessed with high security….I want to be able to present the client with the features that I’ve implemented to make this area as secure as possible.
One of the things I want to present the client with is an implementation that prevents multiple login attempts. I set this up using sessions and counting login attempts, but I was wondering, if there was a bot attack (like a dictionary attack) against a login where hundreds of attempts were tried repeatedly….would they use they same session? I am thinking probably not (but I don’t know, I’m not a security expert). Furthermore…would they even use the same ip?
If the answers to both of the questions above are ‘not necessarily’ then I am thinking the best approach to do this is to prevent multiple login attempts using the same username in a short period of time.
I’m really looking for answers to the above two questions, mainly, however. Thanks in advance to anyone who helps.