If I can get a list of user names, then it is more efficient for me to pick a really common password and iterate across user names. Not helpful to the attacker aiming for a named target, but likely to work pretty well in, say, the universe of Facebook names, and I don't trigger 3-strikes-and-you're-out alarms. No?
Tangentially, --dan _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
