Incorrect Password lock
I have a feature request for Proton that I think could greatly enhance account security, especially against brute force attacks.
Feature Details:
Optional Lockout: Users can enable or disable this feature based on their preference.
Customizable Attempt Limits: Users can choose the number of incorrect password attempts that will trigger a lockout (e.g., 2, 5, or 10 attempts).
Customizable Lockout Duration: Users can set the duration of the lockout period (e.g., 1 hour, 10 hours, 24 hours, or 48 hours).
Device-Specific Lockout: The lockout will apply to the specific device where the incorrect attempts were made, preventing further access from that device for the selected period.
Benefits:
Enhanced Security: Helps to protect accounts from automated brute force attacks by locking out after a set number of failed attempts.
Flexibility: Users can tailor the settings to their comfort level, balancing security with convenience.
User Control: The feature is completely optional, so users who do not want it can simply leave it disabled.
I believe this feature would add an extra layer of security for Proton users who are concerned about unauthorized access to their accounts.
-
[Deleted User] commented
I've thought a lot about how to prevent brute-forcing attacks when I had my own website, but I really didn't see any benefit in this as long as users use a good password with like 16 characters. Proton will almost definitely start serving captchas to these bots slowing them down and even with a 8 character password (the minimum proton requires) there are still hundreds of billions of combinations that bots need to go through in order to get the user's password.
It's a great idea but I don't think it's really worth the added security benefit.