https://stackoverflow.com/questions/22176096
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAnything you try to do browser side is practically pointless. It won't stop a single malicious user, and will only frustrate your clueless users who forgot their passwords and are trying everything they can think of.
The best way to handle something like this is to "stand on the shoulders of giants" so to speak. How are the big names like Google/Facebook handling this? If your focus is purely on security, and don't really care about user experience, then this won't be your ideal answer. If, however, you have to balance between the two, this is how I'd do it.
Look at what Google does. You get a few attempts per user AND per IP address (you'll need to start recording this if you aren't already). After a few failed attempts, you show them a CAPTCHA. If they keep trying, you are no longer dealing with a bot, and you can adjust accordingly. You have to deal with this by account and IP because malicious users will just change their IP to keep hammering on one account, so you need to be able to handle both cases.
Try to help the user by showing them how (hopefully) easy it is to use the "forgot your password" feature. Maybe if you see enough username attempts from the same IP, you can escalate this to a "lock out" mode. But be careful, malicious users can use many IP addresses, and sometimes regular users all connect through one IP. Also make sure they can't lock out your (admin) account (or everyone in your DB).
