User name and password comparisons should be be done with constant time comparison functions. However, in testing there is so much variability between successive function calls that this might be impracticable
Add delay after authentication failure
Increment a failed login count, reset on successful authentication, could cause denial of service attacks
Could store a limited number of client IP addresses and only slow down IP address(s) of repeated failed attempts
We should implement something to prevent brute force attacks
Some possible improvements
We should implement something to prevent brute force attacks