I was recently equipped with a password on a new website. I made the mistake of giving my email address in two different forms in different places (a bad piece of design – if you have to have the same email address in both, why not automatically copy it over?) In attempting to log in again, I used the ‘wrong’ form of the address and quickly found myself locked out, unable even to make further login attempts. Phone calls were necessary in order to release me and give me access again.
The problem is that the behaviour of someone who believes they have the right login credentials, but hasn’t, is very similar to that of a denial of service attack – bombarding a site with several login attempts in quick succession. It’s a challenge to separate the two, but I think the human-generated pattern has certain characteristics. The human user will leave at least a few seconds between each attempt. Also, he or she will not vary their attempts very much – they are likely to use the same few IDs/passwords in various combinations repeatedly. It shouldn’t be too difficult to be more generous to a login pattern of this type than to a suspected denial of service attack. Logging in for a few times at an interval of several seconds is not going to hack or break a server, unless multiple attempts of this kind occur simultaneously.