I am working on securing my application against bruteforce attack.
We have decided to lock the account for 10 minutes on 3 consecutive invalid logins.
Have got this test-case -
For example -
If a user tries invalid credentials every 20 minutes or so. There will be approximately 3 attempts in one hour. Will it be a good idea to lock the user account in this case? Would you check a time gap between invalid login attempts?
Please share your thoughts on this.
Thank you!