On Thu, 28 May 2015, Rich Kulawiec wrote:
I think this (Bill's) is a very good practice. It's not that difficult
to enumerate the name of every pro sports team in the US, the 100 most
popular dog names, the 200 most common street names, etc. This attack
can be mitigated by limiting attempts...but of course if that's done,
then it's possible for an attacker to lock out the real owner by just
hammering away constantly using assorted botnet hosts.
There are providers (banks, etc) who will disable an online account that
has had X failed login attempts. While that's good for preventing
$bad_guy from continuing to try to brute-force-guess the password, it
creates a nominal DoS condition for the legitimate owner who then has to
contact the provider and go through their password reset procedure.
In most of the cases I've seen, the provider is not well equipped to block
login attempts for $legit_user from whatever address range is doing the
brute-forcing (possibly spoofed / botted anyway).
jms
