Message from the world of Lotus Notes.
A nice rate limiting strategy is used by the Notes Client. When you enter a wrong password, Notes displays the password dialog after a small delay, each time you fail, this delay doubles/triples (ok I havent timed it exactly). Very quickly this time ramps up to very substantial amounts of time, we all know how quickly exponential curves get very steep.
This achieves the same thing as a fixed rate limit, but it doesn’t penalise the average legitimate user who might get it wrong once or twice, but it will punish the evil monsters.
I always thought it was a very clever idea, oh and yes you can configure password locking, but I never bother as this technique works so well.
Simon
