Originally Posted by azguy

It's very simple and I don't understand how after 10 years companies still deal with this shit.

1. User signs up, password must be 8 chars or longer with at least 1 digit
2. Spend some $$ on a real programmer and come up with a simple, yet very useful, pattern recognition utility that will monitor user activity and detect irregular IP changes, browsers, cookie data. It's not hard.
3. Once the software detects unusual activity, disable the freakin account and send further instructions on re-activating it to the user's email.
4. Get rid of freakin Basic Authentication..
5. Have your login be form-based and implement a Turing test.
6. Ask yourself why it took you 10 years to figure this out lol