CynicalTyler: thanks for responding. I wrote my post with those views partly to elicit some kind of response.
The uppercasing – it does weaken the password by 2x per letter, but still that’s plenty strong. How are they going to crack someone’s password which is one of (26+10)^8 possible passwords, if it’s hashed? On the other hand, though, you won’t have aggravated users who didn’t realize that the caps lock was on when they put in the password. Is the increase in security so necessary that you would make people remember the case of their password?
Secondly: Yeah, I wondered what was so bad about confirming that a username exists in the system. But I think you’re right – there is no reason we should release that information. So “bad username or password” it is.
Third: No, I simply meant to introduce a tarpit – so you can resubmit a request 1 second later, but you won’t get a response until 5 seconds later. Change the 5 seconds to 2 seconds and you get the point… just put a tarpit there… but I guess yeah it’s unnecessary since you’re cutting it off at n daily tries.
ALSO – the captchas these days can easily be solved, right? There are some good solutions ot prevent spam – but that’s for another post 