timppu: But wouldn't such anti-measures block such bot scripts from repeatedly trying to log in with different passwords? Or do those bots know how to bypass the verification?
Depending on what the extra measures are, they may be useless...
Consider, some places add a 5-15 minute enforced delay before trying again after N password attempts. For a single account, this would kill bots for brute force cracking or going via a list; However they probably have several hundred or a few thousand id's. With hundreds of ID's, as soon as they hit their limit, they move onto the next one with the same passwords, and by the time they come back around that time limit is up. If it's linked to an IP address, having several bots hitting the account each IP may get blocked for 5-15 minutes. If it's cookie related (
for the counter of how many attempts have been made), simply clearing the cookie would let them continue. If an IP can only make 3-5 attempts per 5-15 minutes on any account period, then simply using another proxy would give them another IP they could work with for another 3-5 attempts.
Assuming the weak passwords are within a predetermined list of say 10,000 weak passwords, at 1 attempt per second, you'd break it within 7 days.... It merely comes down to how many bots and how the deterrent is set up.
I'm reminded back when i had a open FTP server, with two accounts... anonymous where i could put files i'd share with anyone and everyone, even if they were silly or utilities... and a private account. Someone found my FTP server and every second was hitting it with 1-2 password attempts on an account name that didn't exist (
administrator). Some of the passwords attempted were very interesting...
OlivawR: or use a password manager like keepass.
I remember using a password manager once.. I had a master password that it used to generate and encrypt new hashes from, and then when i needed a new password i clicked on it and it would generate the next one. I could even customize what letters were allowed by the password field making it very customizable... Good for when i needed unique passwords every month for a business account...