Web application login services are deceptively simple to develop, leading application developers to repeat the mistakes of the past. Learning from the best available mitigations for login service vulnerabilities can have a significant organizational impact in terms of protecting customers and reducing costs related to account breaches.
This paper explores login service security using attack and defense patterns and anti-patterns, offering application developers an easy to follow guide to correctly writing login services. While brute force attacks can't be completely stopped, they can be drastically reduced using a few simple techniques.
The paper can be downloaded here.