Even though this is a really minor issue, I promoted this idea. You actually don't have to do a discovery attack in the login-procedure to get the username of users in most companies, since the de facto standard is to have the username to be email address that is usually firstname.lastname@company.com (or only firstname lastname). So, all You have to do is to go to the company's public website and You will get the names of some of the employees from there.

And then what; You still need a valid password for each username before You can login...

Why not also connect this lock out feature to also send a text message to the users registered mobile phone, stating that there has been X number of failed login attempts and the account has been locked - "Please contact IT-support for unlocking Your account"...

Hackers can be fully automated dumb sniffer bots gathering email addresses for spam lists or highly skilled individuals with various levels of knowledge about the system and the names in a Domino Directory. For the former, guessing the password is not even required to build a spam list due to the flaw mentioned above.

In either case any additional vector can be critical. Being able to confirm existence of usernames is hardly a minor issue.

If the only purpuse for hacking login-forms in this way, is to gather usernames for a spamlist, then it is a very un-efficient way to do it. There are FAR more efficient ways to gather spam-list. It is much simplier (and efficient) to scan webpages for email-addresses, usernames etc. So, I really think this is a minor issue. But as I stated: I do think this idea is good enough to be promoted so i voted 'Yes' on this.

How should a hacking bot know how many attempts that are allowed on each site? If it assumes 3 attempts, but You have enabled 5, the bots will never get the account locked message and therefore assume it isn't a valid username. Should the bot test 5 attempts per username? Then You have a bot that will run forever to gather only a handful of names. For what use? No - I still think that for spam-lists the best way is to scan webpages etc. I don't think any hacker would seriously consider this alternative.

Another thing is that a hacker that tries to gather usernames has no interest in getting caught - that would be counter-productive for his goal. Getting names by locking accounts means that he forces himself to alert the company that something is going on. If a company faces a large number of locked accounts in one day, someone will DEFINITLY know that something is wrong and start investigating. And all logs contains all the info needed for getting the source of the hacker.

So, I still claim this to be a minor issue, but I also think this idea should be promoted, because it would be another layer of improved security - and everything that improves security with minimal effect on the end-user is good.

Kenneth Axi
> has been X number of failed login attempts and the account has been locked - "Please contact IT-support for unlocking Your account"...
This is good, but not much. The attack can be fixed to a single address to harm a person. As a result, his work will be paralyzed. Therefore, it is important to vote for this idea.