Beware of “Slow Brute Force Attacks”

Users should be aware of a new strategy by attackers- since many attempts to block brute force attacks-(like this one) look for “4 unsuccessful logins in 30 minutes,” they’ve changed over to a ‘drip’ or ‘trickle’ attack, attacking many millions of sites once an hour or less.
The obvious response is
1 use a password manager like Keepass
2 use strong (100+ bit) passwords for important sites
3 set the second level reject for 10 lockouts over 10 days, with a 12 month lockout.

Others may think of better strategies to thwart this attack vector. The authors will undoubtedly have suggestions- possibly a third level lockout formula, or alternate formulas?

The other concern is botnet attacks- if there are 10,000 attackers, 40 attacks from each is 400,000- still a trivial # if your pw has 10^20 possible combos, but much larger than 40 attacks from one IP.