I recently added a neat security feature to Browserling. The feature is very simple - if someone tries to login into Browserling unsuccessfully, they have to wait a little bit until they can login again. This feature prevents automated password guessing.

Here's how the implementation looks like:

You've to wait 2n seconds between logins if you fail logging in n consecutive times.

The implementation of this security feature is just 20 lines long. Anyone can implement it in 15 minutes. The basic logic is the following - if a login is unsuccessful, then increase the unsuccessful-logins counter (n) for the user by one. If the login is unsuccessful again, figure out the time delta (delta) between the two logins in seconds and compare it to 2n. If the time delta is less than 2n, then make the user wait 2n - delta seconds. Otherwise reset the counter and log the user in.

A downside to this feature is that someone can lock someone else out of their account by trying to login too many times unsuccessfully. But in my opinion there is no reason why your web application shouldn't have this. You don't want your users' passwords to be hacked.

Until next time!