[rafd]

6 characters is pretty trivial to brute force. Someone could set up a script to continuously try all combinations and get access to whatever happens to hit a match.

You could block an IP after a certain number of failures, but that doesn't protect against a network of various IPs attacking (which attackers often have access to). Adding an artificial delay also wouldn't protect against parallel attacks.

A simpler/better solution would be to add a few more characters to the shortcode so it's infeasible to force within your timeframe (and the number of requests your servers can handle in that timeframe).

[sroussey]

Ug, I imagine someone reading this is going to snowshoe a test over the weekend.

[NicoJuicy]

Why an IP block instead of a username block

[rovr138]

Different attacks.

If you have a network, 1 IP could then try 1 time a user + password. Then switch to another device with a different IP for another one.

The first IP could then try a different user.

You need a combination, not one or the other.

And then, you have to deal with a university or other big institution and users forgetting their passwords after the holidays. That would potentially trigger a ban of everyone.

[utopian3]

Username block is a denial of service against that user.

[dahfizz]

Because then I could block your access with minimal effort.