I just read an article saying that passwords with 7 characters are no longer safe. However, if the server increases the time to retry a login attempt after each login attempt, then brute force attacks are useless. How do you create such logic in asp.net? Somehow I guess the server side code needs to remember the ip-address that tried to login and should increase the response time with each new try?
IP address isn't really a secure method of identifying the user. You could try storing the last time a login attempt was submitted in a cookie, but if the browser doesn't accept them, it'll be of limited use. Session variables also require cookies, so they're out.
Some sites (yahoo comes to mind) start showing a Captcha form after the third or so attempt. You have to correctly answer the captcha in addition to your login details.
Another option would be to disable an account after X failed attempts (which can be tracked in your database), but I personally dislike this as it tends to force me to call someone to get my password reset whenever I forget one.
Many brute force attacks occur offline. That's why failed-attempt lock-outs are no substitute for requiring complex passwords, using proper "salt", and key-strengthening.
ASP.NET has a built-in mechanism to prevent brute force attacks against login passwords. Refer to the maxInvalidPasswordAttempts Membership property.
IMHO 7 character passwords are perfectly adequate for most web applications (my bank allows 7 char passwords) provided security best practices are followed, such as securely hashing passwords and blocking brute force attacks.
Once you get beyond 7 or 8 character passwords, you are really saying "my app needs to be super secure", in which case you ought to consider individual client SSL certificates. Requiring more characters in a password has diminishing returns. How many of your users can remember complex 8 or 9 character passwords? They end up writing them down. Personally, I get turned away by any site that requires me to create some super-complex password.
ASP.NET Membership does most of the hard work around security for you, as long as it is setup properly.
However, there are some things ASP.NET Membership cannot do for you, such as:
- Ensuring HTTPS is used
- Preventing CSRF and similar attacks
- Ensuring all web requests are routed to ASP.NET to prevent static content being served up by IIS and bypassing ASP.NET authentication
- Checking that the user is a human (CAPTCHA)
For more on security best practices I'd look at OWASP