Malicious parties often seek to gain access to systems through a variety of means, including brute force attacks. Brute force attacks may be horizontal, in which the malicious party attempts to compromise the accounts of multiple legitimate users; vertical, in which the malicious party attempts to compromise the account of one legitimate user multiple times; or include both horizontal and vertical attacks. When a malicious party attempts to gain access to a system using vertical brute force attacks, multiple passwords are tried in combination with a username (or a suspected username) for an account; often associated with an administrator or high level user. Vertical brute force attacks are often made in rapid succession by a machine controlled by the malicious party to quickly try several suspected passwords against a username.
To combat these attacks, an administrator of the system may set rules by which an account is “locked” after a specified number of login attempts, and will not allow anyone to access the account until it is unlocked by the administrator. Unfortunately, the rules for account locking may also be triggered by benign errors. For example, a user may set a program to automatically login to the system, but forget to update a password in the program after a password change (or otherwise supply the wrong password), causing the program to lock legitimate users out of their own accounts. Locking users out of their own accounts does not improve the security of the system, and may eventually lead to weakened security for the system if the accounts are locked too frequently, due to users bypassing security and ignoring good security practices out of frustration and administrator time constraints.