The only good way to protect against brute force attacks is CAPTCHA or
IP Address ACLs. If you implement a delay, you can just have a
multi-threaded attack. If you disable the account after a number of
failed attempts, then you can have a DoS attack and bring down the whole
site.
On 3/14/2014 11:49 AM, Bill Burke wrote:
FYI Working on Brute force login attack protection today. Last
thing
I'll do until I spend a week on Resteasy.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com