Apps such as Fail2ban and DenyHosts enable unix administrators to limit username/password combo attempts to typically 3 attempts. But why 3? Some admins enable more, like 6 or 8 giving honest users a little more slack when making different attempts at a password they may not recall exactly. But why not 18? Or even 30?
If a sophisticated cracker wanted to brute force a combo with a scheme involving 128 bits of entropy, s/he would need to make trillions of attempts a second. So if an admin limited the total number of attempts to 100 using Fail2ban, wouldn’t the authentication system still be secure and robust, as long as the admin sets up their username/password scheme to require 128 bits of entropy?