I tried brutal force attack in my own server. I was outside the private network. I got a very good attack rate though. The avarage was 22tries/sec. I also tried the same attack in several different servers. I.E. Hotmail and other free ones. All of them blocked my IP address after trying a few times. It seems to be the best kind of protection, although I don't know where this protection is made.
Another server I tryed the attack offered a low rate of attaks per second (less than 2/sec). It complicates the attack but it is still possible.
I know that a good password policy is a huge issue to be considered, but it's hard get the users to understand it. When they have a strong password, they write it down and leave the note beside their computer. :S
Yet, Zimbra offers the option of blocking the account after X failed loggins for Y time. If this issue is enabled, someone can keep blooking some account on purpose (terrorism).
What would be the best way to prevend this kind of attack? How do the free servers block the ip address?
Thanks in advance.