Indirect brute-forcing passwords?
I am still in the process of reading James Fallows’ article on his wife’s Gmail account being hacked, but I was struck by this statement:
For reasons too complex to explain here, even some systems, like Gmail’s, that don’t allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks.
Let me guess: this margin is too small to explain how this works. But I would love to know; in my world, the definition of a brute-force attack requires millions of guesses at a password.