On Fri, May 29, 2015 at 12:32:34PM -0400, Justin M. Streiner wrote:
There are providers (banks, etc) who will disable an online account that has had X failed login attempts. While that's good for preventing $bad_guy from continuing to try to brute-force-guess the password, it creates a nominal DoS condition for the legitimate owner who then has to contact the provider and go through their password reset procedure.
This is why automatic lockout procedures are a problem for some operations, particularly those which are known to create user account names based on algorithms like "first initial + last name, truncated to 8 characters". It's not at all difficult to construct a list of valid (or probably-valid) usernames at such sites, hit them all repeatedly from distributed botnets (N-1 times from any one address, where N times would trigger IP-based blocking methods) and thus effectively DoS a decent fraction of the users. ---rsk