Just as a test and never touched the account but it took me 12 minutes to brute force a btcpop.co account (it had no 2fa engaged)
There is no denying that passwords can be bruteforced and if you managed to do so then the password you used must have been weak.
Would you be able to crack some of these passwords?
A good password with alphanumerics and symbols would look similar to these:
- n<GV8YV/L&$K$[b
- 937/o=92sW/G{5c
- ~(=0,548_"2"/Ga
- kZs75Upu]48j?6q
Anyway I don't see that this discussion is leading us somewhere. Stunna claims that this case has nothing to do with PD's security.
convertekk says otherwise - we reached a stalemate here.
Three things here-
-When a user is playing with one ip address, its highly unlikely that he'd login to another ip at the same time. A possible 10 minute delay check between login to login would have prevented this from happening.
- If a user enters wrong passwords for more than, say 5 times, his account should have been locked for the next 10 or 15 minutes and the user should be notified over email stating that the login attempt from the particular ip failed. Even bitcointalk.org does that. Locking the account after 5 wrong attempts would definitely not result in false positives as Ryan was stating.
- Protect your site from DDOS and Bruteforce attacks. That's a must.
Still nothing to do with security ?
