For login attempts check, should I do it by ip+username, just ip...?

[someguy321]

I want to limit the number of incorrect login attempts within a specified time period (e.g. 15 minutes). I'm wondering what I should tie those attempts to.

 

e.g. If too many attempts from one ip address for a specific username, lock them out for 15 minutes? Or too many attempts from any ip address for a specific username? Or too many attempts for an ip address matched loosely (i.e. 255.255.255.0 matching) with a specific username?

 

What's the best choice? Just too many attempts for a username? Or also use the ip address?

 

And should I store the attempts in the session, or the DB?

[coupe-r]

Have a column in your DB that increments on bad attempts.  At 10 attempts, lock the account.

 

On a good atempt log them in and reset the attempts column

[someguy321]

Have a column in your DB that increments on bad attempts.  At 10 attempts, lock the account.

 

On a good atempt log them in and reset the attempts column

 

Sure, I understand, but my question is what makes an attempt? Simply a username? Or a username from a specific ip?

 

For example, consider the following two cases:

 

1. Person at ip 192.168.1.100 tried to login to "fakeuser"

2. Person at ip 192.168.1.100 tried to login to "fakeuser"

3. Person at ip 192.168.1.95 tried to login to "fakeuser"

 

Is this 3 attempts on "fakeuser"? Or is it two attempts by the first ip, and only 1 attempt by the second ip?