Can/do botnets brute force "high value" users of services like Gmail?

On an intranet a login is generally disabled after a very small number of failed logins.

But a public email service like Gmail can't do the same, otherwise pranksters would just be continuously locking people out.

Unlike brute forcing a password file that you have locally, hitting a specific account on a remote service like Gmail involves significant network latency - thus severly limiting the speed of a brute force approach.

And the service can introduce artificial delays, e.g. wait a few seconds no matter what before rejecting or accepting a login.

And it can increase the delay per IP address from which a failed login attempt has occurred.

But you can only go so far with delays before they themselves facilitate DoS attacks - if the valid user comes through a proxy, anyone else coming through the same proxy can up the login delay for that user with failed login attempts. So the delay can only be increased so far.

But even a 5 second delay, which would only mildly annoy a human, would thwart brute forcing from a single machine.

But what about a botnet? The largest have several hundred thousand machines.

If all make just a few attempts this means the victim's password just has to be in e.g. the commonest 10 thousand.

I've seen old analysis from 2011 that suggests 30% of user passwords fall into the commonest 10 thousand.

So you've got a 1 in 3 chance of cracking the given account.

But maybe:

• Botnet time is too valuable to be used even for a short time to crack an individual account.


• The rise of two factor authentication and password management systems make high value targets harder to hit.


• Services like Gmail may actively look out for users who are subject to frequent hacking attempts, e.g. celebrities, and ensure they use two factor authentication.


• High value users who are likely victims of such a coordinated attack have probably already been hacked once and have learnt their lesson - so the success chances of a botnet attack are too low to warrant it.


• Enforcement of rules on password complexity have changed the percentages I've quoted.

Sorry if you feel this is a repeat of existing questions. @woliveirajr suggests in this answer that you should introduce a CAPTCHA after a few failed attempts.

If you don't do this on a per IP address then some users (celebrities etc.) must be filling in CAPTCHAs all the time! If you do it on a per IP address then you still get a lot of tries (see above) which cover a significant percentage of the commonest passwords.

Does Gmail or anyone else do this, i.e. require CAPTCHA's after several failed login attempts?

A number of answers on this popular question mention locking people out after a number of failed attempts, but as noted above I think you can only really do this on say a company intranet - not on something like Gmail where it would immediately be used for DoS.