Most of the time, hackers use something like this AI tool to guess a list of passwords on some insecure site with a lot of users like instagram, linkedin, wordpress etc... then they will take that list along with your profile to try them on bank sites etc trying two logins and then waiting 20 minutes, change ips etc... that script runs for days until they get into a couple of the interesting sites.
Only the people that use the same password on the insecure sites and the secure sites will be vulnerable.
Thanks. That is a strategy that uses AI to winnow down to huge number of combinations to be tried to a list that, while still quite large, is still at least manageable. Based on the desire not to trigger the account lockout feature, the hacker’s computer would have an unlimited number of two try attempts. Would an effective defense be to monitor the number of failed log on attempts per account per day without lockout and flag unusually high numbers of persistent probing for further investigation?