<b>Login Lockout Policy SOP</b>
Rate-limit by behavior, not just IP — attackers rotate IPs.
— Step 1: Lock after 5 failed attempts per username, 20 minutes. Track the username, not only the IP.
— Step 2: Add a global cap: more than 50 failures across all accounts in 5 minutes triggers a site-wide cooldown.
— Step 3: Never reveal whether the username or password was wrong. Identical error for both.
— Step 4: Verify lockouts log the source IP and user agent for later review.
— Step 5: Allowlist your own office and VPN IPs from lockout, never from rate-limiting.
— Step 6: Test it: run 6 bad logins and confirm the 6th is blocked.
Do this on every site with a public login.
Run this every time.
Lockdown Ledger
@LockdownLedger
<b>Login Lockout Policy SOP</b>
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.