I'm hoping your host will get me FTP access tomorrow so
I can get that taken care of for you. In the meantime, the
graph below (based on Strongbox data) should give you an
idea of where to set your IP threshhold. The data isn't exactly
what you'd really want for making this decision, but it should help.
Pennywize works on 24 hour period while the data below covers
longer time periods. I don't think that's going to matter very
much at all though, as you'll see in the graph. What may make
a bigger difference is that the graph below only accounts for
the first 3 octets of the IP, so 123.123.123.123 would show
up the same as 123.123.123.124. That's because Strongbox
knows that dial up and other dynamic IP users often get IPs in the same
subnet while different people aren't very likely to be in the
same subnet by random chance. never the less, here's the data.
It shows how many usernames were used from how many different IPs:
The leftmost point shows that about 5,300 usernames had only
one IP. 1,400 usernames had 2 IPs. About 850 usernames had 3 IPs.
The curve quickly drops. It's very low after about 6-10 IPs, which means
that very few usernames were used from more than 8 IPs.
The vast majority were used from 1,2, or 3 IP ranges. So I'd set my
cutoff between 4 and 10. Exactly where to set it depends on how tough
you want to be. Are you having a major problem and want to really
crack down on compromised passwords, or are you willing to let
some trading go on to reduce the number of legit users blocked?
Of course if your host takes care of getting FTP so I can upload
Strongbox that'll take care of the issue once and for all.