If a website has a 5 second time delay before showing the login form, is that likely a security measure?

Is the homepage implementing some sort of security measure?

If you are referring to https://www.chase.com, then nope, it's just slow to load and do the transition thing. Terrible UX maybe, but this is not a security feature. A login cracking bot would not typically use the user interface anyway.

Basically, it's a banking website, and terrible UX is sadly the norm.


While this particular case may not be security related, it's not uncommon to have rate-limiting between login requests. This would have to be implemented in the back-end code to effect all requests to be effective.


One possible scenario where this delay could be because of a security measure is if the site is using something like a Client Puzzle Protocol (CPP). This does not appear to the case with https://www.chase.com/, but CPPs can be used prevent denial of service attacks against slow hashing functions. It is basically an implementation of Proof-of-Work system. More details here.

The basic idea is to force the client to do a significant amount of work, and prove it has done so, before you will accept a username/password pair and try to validate it. Basic overview of the approach from the linked post:

The server generates a random puzzle, and sends the puzzle to the client. The server generates the puzzle in a way that it can predict reasonably well how much effort will be required to solve the puzzle (e.g., 100ms of computation). The client solves the puzzle, and then sends the solution along with the user's username and password.

In a web setting, this would probably be implemented with Javascript: the login page would contain the Javascript code to solve the puzzle and the puzzle description. A legitimate user's web browser would run the Javascript on the page, which would solve the puzzle and include the solution in the form along with the username and password.

Based on how this is implemented, a site could delay loading of the login page until the client (your browser) solves the puzzle. Again a bad UI design -- I'd just disable the login button until the puzzle is solved and enable the button for login form submission once the client has a solution.