Splync v1.2 Introduces Brute-Force Protection for Safer Logins

Splync is a shared budget tracker designed for couples, friends, and small teams — though it can also be used for personal finance management. The app helps users record, split, and settle expenses smoothly, keeping group accounting transparent and fair. The new version, v1.2, marks the second update since Splync’s release on the App Store. While the app already supports secure data storage and encrypted communication, this update focuses on further strengthening the protection of sensitive information such as expense records and project details. Unauthorized access could potentially expose not only your financial data but also the spending history of your project members — so security improvements at the login level are crucial.

With Splync v1.2, we are strengthening the safety of your login beyond the existing layers of HTTPS encryption, secure server-side communication, password hashing, email verification, and password reset protection. This release introduces a defense against so-called “brute-force” attacks — attempts in which an attacker tries numerous passwords in rapid succession, hoping to find the correct one. By limiting how frequently login attempts can occur, Splync v1.2 makes it exponentially harder for attackers to guess a password, while ensuring that normal users experience no noticeable slowdown or inconvenience.

A brute-force attack is a simple but powerful method: an attacker repeatedly tries different password combinations until one works. Rather than cleverness, brute force relies on volume and speed. For example, a 4-digit PIN has 10,000 possible combinations — trivial to exhaust if there are no limits on attempts. Although typical account passwords use 8–16 characters drawn from letters, numbers, and symbols (making the theoretical search space astronomically large), real-world attackers dramatically narrow that space by prioritizing likely guesses: leaked password lists, common substitution patterns, and information gleaned from a target’s public profile. A skilled attacker can often reduce the search to a list of plausible passwords (say, 1,000,000 candidates). By submitting around 300 attempts per second, an attacker could go through that entire list in about an hour.

In Splync v1.2, if someone enters the wrong password five times in a row, the account is temporarily locked for ten minutes. During this lock period, all further login attempts are automatically rejected, even if the password entered later is correct. This mechanism is managed on the server using a login-attempt record for each user, which keeps track of how many times and when an account has failed to authenticate. After the lock period expires, login becomes available again, and the failure count resets. This approach balances security and convenience: extending the lock time would make brute-force attacks even less practical, but it could also frustrate genuine users who mistype their password. Setting it to ten minutes provides a sensible middle ground — enough to block automated attacks, while short enough not to interrupt normal use.

Let’s visualize the impact of Splync’s protection in simple numbers. Suppose an attacker can attempt 300 passwords per second. Without any brute-force protection, that’s 1,080,000 attempts per hour — an enormous number. With Splync’s ten-minute block after five consecutive failures, the same attacker can only try five passwords every ten minutes, which equals 30 attempts per hour. That’s a drop from 1,080,000 to 30 attempts per hour, making the account roughly 36,000 times harder to attack by brute force. Even if the attacker had a refined list of 1,000,000 likely passwords, it would take them nearly four years to try them all under this restriction. And in reality, if you use a strong password — long, random, and unrelated to personal information — it’s practically impossible for attackers to even narrow their guesses to such a list in the first place. Meanwhile, for normal users, the trade-off is minimal — even if you accidentally enter the wrong password five times, your account simply pauses for ten minutes before allowing another login attempt.

This approach is a standard best practice for modern web and mobile applications: it is simple to understand, straightforward to audit, and significantly increases the cost of brute-force attacks. With Splync v1.2, we are continuing to strengthen the foundations of the app: not just features you can see, but also the security layers that quietly protect your shared budgets in the background. Brute-force protection is one of those invisible improvements that matters a lot when you need it, and does not get in your way when you don’t. As Splync grows, we will keep refining both usability and security, so that splitting expenses with partners, friends, and project members remains not only simple and transparent, but also safe.