Let me provide a unique perspective as a pentester.
Obtaining a list of individuals within a company is relatively simple through platforms like LinkedIn. Additionally, identifying potential passwords such as password dumps, weak variations like Pa$$w0rd, the company name, or common patterns can also be part of my process.
The challenge arises when trying to apply these credentials to a random web application that is publicly exposed. Understanding the username format - whether it's first.lastname, email, firstinitiallastname, or something else - allows me to attempt various combinations with different passwords. The ultimate objective is to identify at least one valid login credential, which then facilitates extracting the full list of legitimate users from the application itself.
A generic response on a login page significantly hampers our progress. If I can ascertain the correct username, I have the capacity to test up to 24 different passwords per user (one password attempt per user every hour to prevent triggering lockouts). In most cases, I manage to gain access to an organization's system within a day of undertaking this method.
If I cannot confirm the accuracy of the username, I am forced to explore every conceivable combination of usernames and corresponding potential passwords. This limitation typically restricts me to trying only 3-4 passwords for each potential user before the efforts become too exhaustive. Unless users opt for extremely predictable passwords, breaking into the application becomes increasingly challenging.
Occasionally, crosschecking usernames against other sections of the application, particularly the password reset feature, can offer insights. While valuable for verification purposes, this approach is not conducive to brute-forcing logins as it may trigger account locks or send alert notifications to IT if attempted excessively.
Similar to what another individual mentioned, I would categorize this scenario as a vulnerability. If successful in gaining unauthorized entry, I would include it in the final report. Otherwise, I would inform the IT team without formally documenting it. Some novice pentesters might exaggerate the significance of such findings in their reports, potentially causing undue alarm.
A precautionary measure that I often recommend involves implementing a threshold for total failed login attempts. User-specific lockout mechanisms are effective, but introducing additional safeguards for individuals attempting multiple passwords across all users can further enhance security. By monitoring and flagging excessive unsuccessful logins within a specific timeframe, organizations can swiftly detect and mitigate potential brute-force attacks.