Many systems require a valid user name and password combination before granting access to a corresponding account. Unfortunately, users often pick user names and/or passwords that are guessable. More specifically, users often pick passwords that are common words or easy-to-type strings. Unauthorized attempts to access user accounts often occur, therefore, in the form of “dictionary attacks”, which involve the use of a list of common words.
A simple dictionary attack exhibits a fairly distinctive fingerprint. Typically, a simple dictionary attack appears as a large number of invalid login attempts against a single account originating from a single IP address. It is fairly easy to stop the attack by disabling the account that an attacker (or attackers) is attacking or by blocking access from the IP-address.
However, more sophisticated dictionary attacks do occur. These include attacks from multiple IP addresses, “horizontal attacks” (i.e., attempting to log into multiple accounts using the same password), and “diagonal attacks” (i.e., different passwords against different accounts).
In general, the only defense against simple and sophisticated dictionary attacks is to reduce the login processing rate (i.e., the number of login attempts that can be processed over a defined period of time). Though this technique generally succeeds in its basic purpose, it leads to login-bottlenecks, which slow down valid login attempts and impose burdens on legitimate users. More specifically, account restrictions punish the victim rather than the perpetrator. If, for example, there is an attack against an account, that account gets disabled and the account user is responsible for initiating the recovery.