I want to do something to prevent the “raw force attacks”. MY IDEA:
Write a policy that always checks the time of the last login attempt (of course with the same username or e-mail). If the time between two experiments is less than 2 seconds, the login attempt should be invalid.
Is that idea okay, what’s your opinion?