Automated online password-guessing attacks have emerged as a major threat to Web service providers in recent years. The typical approach to addressing online password attacks currently is to block or throttle repeated guesses against an account. The approach can work in depth-first attacks but is not very effective when password guesses are distributed against a wide range of accounts. Microsoft, for instance, detect several million credential attacks against its identity systems on a daily basis. The challenge for organizations is figuring out a way to reliably distinguish legitimate traffic from attack traffic.”]