How are you all dealing with potential hacks into login attempts?
Surely you’re all not allowing users to try every email and password constantly or you’d be at risk of brute hacks. I’ve implemented session tracking that’ll block a user if more than 3 failed attempts are made regardless of whether the account exists or not.
Issue: They can incognito mode or clear session data
I’m looking at implementing IP address limiting but I’m interested to see how others have implemented it as it’s quite annoying when you try 3 different emails and then get locked out. I wanted it so that it resets the counter per email but I didn’t want hackers to be able to change email to reset the counter then go back to the one they’re trying to hack.
Thanks