Gregory Maxwell wrote:
Most people given those restrictions type out letter
patterns on the
keyboard. Cracking programs like john the ripper have rules systems
which predict such patterns with frightening accuracy.
But those predictions are only useful if the attacker has
unlimited login attempts. If we're taking the step of asking
users (and admins) to pick stronger passwords, we should
absolutely at the same time be taking steps in software to
detect repeated login failures and (a) lock out the account,
(b) slow way down, and/or (c) notify the (real) user.