Get a call saying password incorrect.

*Me testing login details*.... Works fine.

Tell user that it was a typo.
*They get angry*
*They start whispering to coworker "oh so it's a capital?!"

Next thing I hear, NVM I found the issue.

*Hangs up*

@gashadokuro Too many times that has happened.

One lady had that issue, it was her wallet on the shift key...

@gashadokuro that could easily be abused by an attacker by locking all customer accounts

@BlueDev I agree but most education institutes have terrible budgets. Making these weird credential systems that a blind person could hack very common.

@BlueDev Is it better to not have a lock or limit to attempts? I mean, rainbow tables still exists

@aaxa Rainbiw tables are used when the attacker already has access to the database. The best guard against rainbow tables are salting the hashes (use bcrypt!) and password policies. You could add a little delay like 5s when the user repeatedly entered a wrong password. But don't implement it via Thread.sleep() as an attacker could easily exhaust your thread pool that way leadind to a dos.

@BlueDev Sorry, let me rephrase. And thanks for peeking my interest in this subject as I certainly misunderstood what a rainbow table is.
What I meant was protection against brute force attacks :)

@gashadokuro thats horrible tbh :(