Preventing Password Attacks ++++++++++++++++++++++++++++++ :Posted: 2006-07-26 11:42 :Tags: OpenID, Python I was reading .net magazine today (which has an excellent article about `Jon Hicks' `_ new redesign by the way) and they have an excellent comment about preventing randomly generated password attacks; simply add a ``sleep(3)`` command after each failed attempt so that the hacker has to wait 3 seconds before trying again. **Update: The downside of this is that it would be easy to launch a denial of service attack which quickly exhausts any thread pool.** Of course they might just make lots of separate connections to the site so each connection can be trying a different password whilst the others are waiting but this too can be prevented if your authorisation supports account locking for a few seconds so that all attempts have to wait. Expect to see this new feature added to `Pylons `_ AuthKit soon.