Gregory Maxwell wrote:
Most people given those restrictions type out letter patterns on the keyboard. Cracking programs like john the ripper have rules systems which predict such patterns with frightening accuracy.
But those predictions are only useful if the attacker has unlimited login attempts. If we're taking the step of asking users (and admins) to pick stronger passwords, we should absolutely at the same time be taking steps in software to detect repeated login failures and (a) lock out the account, (b) slow way down, and/or (c) notify the (real) user.