Global password attacks

Consider a system that has many user accounts, and which enables logins over a network that is accessible to
hackers. (Again, we do not assume that the attackers can sniff network traffic, we only assume that they can
connect to the network and try to login to the server, pretending to be a legitimate user.) Consider an attacker that is interested in breaking into any account in the system, rather than targeting a specific account. The  attacker can try many login attempts in parallel and circumvent the timing measure using the fact that user logins are typically handled by servers that can handle many login sessions in parallel. For example, the attacker can send a login attempt every 10 milliseconds, obtaining a throughput of 100 login attempts per second, regardless of how long the server delays the answers to the login attempts. The account locking feature can also be circumvented by such a “global” attacker, if it tries to login using different username/password pairs, and operates without trying the same user name twice. Since every user name is used only once, the “account with many failed login attempts” alarm is never triggered.