Re: Rate limiting surely must help?
But the problem becomes when they STEAL an account, get in first try, and use that to troll your system, perhaps smurf your password database, crack it at their leisure, and find ways to get into admin accounts in so doing?
Seriously, are you for real? What web sites allow their users to get the password database? What websites let normal users get into admin accounts? If anyone finds such a site, who (other than spammers and low-skill hackers) is going to want to stay there since it'll be spammed beyond belief and have no worthwhile content?
Come on Ch, er, AC.. Instead of your rather formulaic (and often extremely unrealistic) negative posts ("oh but what happens WHEN they put a GUN to your HEAD and DEMAND you GIVE THEM you 2FA TOKEN that you LOST because PEOPLE can't REMEMBER things?") how's about coming up with some solutions eh? If you can think of a problem (and I mean an actualy realistic one likely to affect real people, not your unrealistic 'any user can "smurf" your password database' crud) then mention it, sure, but also suggest possible solutions. I've seen you post some great stuff and I do look forward to seeing more of that from you, but sometimes this negative formula you apply to so many posts (especially security ones) gets a bit old.
(Oh, and if the AC I'm replying to isn't the person I'm pretty sure they are, then that person has more to worry about than someone using his unused throwaway accounts to mimic him, he also has to worry about other's using his posting style, which can be a bigger issue than using real accounts!)