Assurance

["Cantor, Scott" <>]

On 8/8/12 5:39 PM, "Brendan Bellina" 
<>
 wrote:

>Even if it is only a theoretical weakness that has never been exploited,
>why not try to prevent it?  Maybe the only reason people haven't
>exploited it is because they mistakenly assume systems aren't vulnerable.

Because if there's no evidence it's a real threat that wouldn't lead to
quick apprehension of a miscreant, nobody here's going to care about it
(as they in fact don't).

But the real answer is that it costs money to both prevent that threat but
still limit password guessing. So like any security expense, there has to
be an assessment of the risk/reward. So far, the risk here is viewed as
minimal, and since it's a much simpler lockout approach to just do it in
the standard way, that's what they did.

-- Scott