Because it wasn't a brute force attack, and it wasn't an attack against the database.
The only thing I would suggest is captcha to stop people from trying to login too many times. Ive seen way too many instances of password hacking programs and I dont believe Toribash has protection against it.
Even though there isnt any protection against that I still believe Toribash has good enough protection to get the account back to the origional owner.
He means if you get a keylogger on your system, then it'd be just a waiting game. Once you typed in your username and password, the 'hacker' now has your username and password.
Get it?
The only thing I would suggest is captcha to stop people from trying to login too many times.
Lol brute force...
What is this? The 90s?
Dictionary attacks are way more common. Besides, I heard you are using MD5, so rainbow tables are probably more efficient for large volumes.
Though since you said "reasonable", then I assume you are salting too, so rainbow tables would be slow...
Brute forcing one MD5 doesn't take an un-imaginable amount of time, even salted. I'll pull up hashcat or a similar program if you want me to.
From what I know, cracking passwords doesn't have to generally be an outright dictionary attack. It only has to be a clever way of tricking users into unknowingly presenting you with the password. Rave, you of all people should know how stupid people are and how easily you can get an idiots password.
What I think toribash should have is a group of people(maybe paid, who knows) who work at finding exploits that someone could use to gain access to other users accounts, and reporting them/fixing them.
Either that, or a pin on every account that is required if a user logs in from a different IP address, which is simpler to place into action, and is relatively safe(letters/numbers/other characters instead of only numbers).