Well. To be fair? They -can't- protect you against a brute-force attack, if it's executed properly. At least, not without pissing off the userbase.
Can they reject an IP based on too many failed login attempts within a certain window? Absolutely. And they do. Unfortunately, this has to be lifted after a certain period because otherwise you get AOL users (and others, they're just the most visible) bitching and moaning about how they can't log in. They can't log in because some dipshit using their shared or recycled IP got the IP blocked, but then you're punishing valid users. So, it unlocks after a while.
Can they lock an account after too many failed login attempts within a certain window? Absolutely. I have no data on whether they do or not, but this is a landmine option, meaning that it's guaranteed to piss off the public and needs to be handled with care. My guess would be that they -do-, but it automatically unlocks after X hours.
Here's the thing, though. Anybody trying to gain access can get around both of those ridiculously easily. Once you've experimented a few times to find out what the parameters are, you can script the entire thing, and stay under the threshold for automatic lockout. And remember, it's not some bored hacker targeting -you-, it's someone with thousands, possibly millions, of account names that his script is patiently sifting through, and more likely than not a sizable pool of IP addresses to launch the attack from.
Blizzard -does- protect against brute-force attacks as best they can, but nothing can stop one outright if the attacker is reasonably clever. Not with a simple password scheme, at any rate. You can protect yourself by choosing passwords of sufficient complexity, but with this sort of security scheme -- the only sort the paying public will tolerate, mind you -- you cannot guarantee a brute-force attack won't get through.
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs
Can they reject an IP based on too many failed login attempts within a certain window? Absolutely. And they do. Unfortunately, this has to be lifted after a certain period because otherwise you get AOL users (and others, they're just the most visible) bitching and moaning about how they can't log in. They can't log in because some dipshit using their shared or recycled IP got the IP blocked, but then you're punishing valid users. So, it unlocks after a while.
Can they lock an account after too many failed login attempts within a certain window? Absolutely. I have no data on whether they do or not, but this is a landmine option, meaning that it's guaranteed to piss off the public and needs to be handled with care. My guess would be that they -do-, but it automatically unlocks after X hours.
Here's the thing, though. Anybody trying to gain access can get around both of those ridiculously easily. Once you've experimented a few times to find out what the parameters are, you can script the entire thing, and stay under the threshold for automatic lockout. And remember, it's not some bored hacker targeting -you-, it's someone with thousands, possibly millions, of account names that his script is patiently sifting through, and more likely than not a sizable pool of IP addresses to launch the attack from.
Blizzard -does- protect against brute-force attacks as best they can, but nothing can stop one outright if the attacker is reasonably clever. Not with a simple password scheme, at any rate. You can protect yourself by choosing passwords of sufficient complexity, but with this sort of security scheme -- the only sort the paying public will tolerate, mind you -- you cannot guarantee a brute-force attack won't get through.
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs