>>> 4. The server decrypts the session key and uses it for subsequent
>>> communication (RC4 by default)
>>>
>>> The server will stop responding to an account after n successive
>>> failures for an account for progressively increasing time to thwart
>>> dictionary attacks.
>>>
>> Taking into an account IPs having too many failures is also useful.
> Good point, but it doesn't help against a distributed dictionary attack.

Yes, but taking into an account only username does not help if attacker
wants to crack any name, not only particular one. Certainly, from
distributed attack on any users, not one particular, nothing of this
helps - but on firebird I prefer to check both logins and IPs. And as a
last measure - if a total of failed login attempts (for different users,
from different IPs) becomes too big, I delay all logins (certainly not
progressively) for some amount of time.