In particular, I kept wondering about the rationale for the customary "rules", especially about changing passwords often. In Dr. Herley's first paper, about the rejection of security advice, that rule was the fundamental objection that users had, since the effort invested to memorize a "strong" password has to be made all over again when it is changed to another one. That becomes an excuse to write them on a note(s) kept near at hand. There is no obvious profit in the exercise for the user, and with regard to outsider risk, changing them often is unlikely to have a deterrent effect.
So that led to considering why user names and passwords were originally adopted to secure access to data, and I realized that insider risk was the first and fundamental justification, well before they were extended to control access to other assets such as networks.
Every accounting system on which I worked as a programmer had a pervasive and abiding concern with regard to internal security. The accountants did not trust the programmers, either. The adoption of user-IDs, passwords, access and activity logging, and other controls are typically integrated into the system design from the outset. Indeed, they were often implemented for the development of the software, too!
By the way, the "bulk guessing" attack with user-IDs is one that I cannot recall hearing of before. It is an interesting concept.
But I wonder how noticeable to the target that it might become as a result of the increase in the use of bandwidth to access the target's web site. Ten million attempted accesses with the same password for random (?) user-IDs don't show up as attacks on any specific accounts. But do that for several passwords without any significant intervals, and it could become a slow-motion DDoS, especially with simultaneous attacks (i.e., each with a different password).
The increased traffic could also be noticeable if the attacks alter the traffic pattern during the course of the day, such as increasing it significantly during periods of time when traffic is ordinarily low.
More things to think about.
