Security of the IM2000 session authentication mechanisms
Brute force attacks against authentication
Authentication transactions in the IM2000 protocols are designed to
prevent leakage of information in the event of an authentication failure.
The client is not informed of the exact reason for the authentication
failure, preventing attacks whereby clients can guess account names
without having to supply passwords.
Servers may employ mechanisms that
limit the number of times that authentication can fail per session
and then fail all subsequent authentication transactions in that session,
limit the number of times that authentication can fail per account
and then fail all subsequent authentication attempts for that account
until reset by an out-of-band means,
introduce delays before sending responses if too many consecutive
authentication attempts fail.