True. Moreover, even if a site implemented this in a naive way, they made the UX much worse for the attacker.
And that constitutes a significant issue, if we follow the reasoning of the article.
It does, actually: it hampers casual attackers -- those looking for any account in. On the other hand, attackers out to break into a specific account will not be deterred. Then again: they are not deterred in either case, so you might as well go with the version that impacts some attackers.
It does, actually: it hampers casual attackers -- those looking for any account in. On the other hand, attackers out to break into a specific account will not be deterred. Then again: they are not deterred in either case, so you might as well go with the version that impacts some attackers.