When a user successfully logs into an account, the user is provided with a
first-class login token, which entitles the user to one or more
unsuccessful login attempts without experiencing delays the user would
otherwise experience. If attempts with a second-class login token or an
expired first-class login token is impermissible, a subsequent login
attempt is subject to delays the user would otherwise not experience. The
delays minimize the effectiveness of dictionary attacks. Additionally, if
the user attempts to login without a login token or an invalid login
token, the login attempt is impermissible and the user is provided with a
second-class login token for use in a delayed, subsequent login attempt.