Wouldn't it be better to lock a system up after X number of failed attempts and then require another unknown person to also login, perhaps even remotely?