Source: Boing Boing
Article note: That's clever. The assumption of all these systems is that people _want_ to get in, so they lock out on repeated login failiure, and it gives an attacker information to tell when that happens... so when there is a benefit to locking an account, there really isn't much defense.
This Twitter thread is wild. Read the text below, or, tl;dr for spoilers —
The 8-year-old figured out how to temporarily lock the account by entering enough wrong passwords, and did that every time she got bored in class. It took them 3 weeks to figure it out. — Read the rest
