On Mon, 07 May 2007 16:19:28 -0600, Jeff V. Merkey wrote:
What you should do here is after three failed attempts **CHANGE** the password and email the new password to the affected account. Otherwise, the account is locked up. It will require people enter a valid email address, but oh well.
Jeff
DOS and spam seems like adding insult to injury. I'd expect lot of complaints from the poor users who's passwords change hourly.
Slowing down the response rate based on the number of requests seems less painful.