Jeanne Boyarsky wrote:
ravi koli wrote:does anyone have an idea on what security policies are good. locking out a customer on unsuccessful login attempts for an hour or locking them permanently till they can call customer service and unlock it?
It depends on your business needs and what kind of site. For a bank, you'd want them to call. For a less important website, you might go by time. Another idea is a stepped mechanism. 3 wrong answers = 1 hour wait. 3 more wrong = 2 hour wait, 3 more wrong = 4 hour wait, etc.