I have a large number of beefs about authentications systems, but one of the stupidest things that they all do is to miscount password guesses.
Let’s say that my password is aaaaa and that I am trying to authenticate with some web site, and let’s further assume that my caps lock key is accidentally on. Instead of typing aaaaa, I am entering AAAAA. I don’t know this because the password entry box doesn’t show me what I typed (and very few applications give me the option of looking at the password). Since the password is wrong, I get a message telling me I typed it wrong. So I just figure I typed it wrong and enter AAAAA again. Wrong again. This time I look up the password in some secure file where it’s stored, see aaaaa, and then type AAAAA one more time very slowly. Three misses and I’m locked out. I may have to call customer service or do some messy thing with a password reset (which is typically designed to be much less secure than password authentication). If it’s my email password, then I may have a hard time resetting it. Some email hosts will even firewall your IP address because of wrong guesses.
It’s a mess, and all because password authentication programs can’t count. OK, you whiz kids:
is ONE wrong guess not 3. This stupid implementation is extra trouble for users and for system administrators. And don’t give me a stateless architecture objection—there are ways to do it. By the way, I am a retired software developer, and I have written authentications systems for commercial software. I did it right because I care about the people who have to use my code.
If I ever get my password straightened out, I’ll publish this article