TL;DR: Default creds, common cred lists, response-based user enum, login error timing, account-lockout vs IP-rotation tradeoffs.
Stub — to be filled in.
What it is
TODO
Preconditions / where it applies
TODO
Technique
TODO
Detection and defence
TODO
References