I am doing some research into login portals on websites/web services, and I am after some up to date expert knowledge of the threats against such portals.
By login portal I am simply talking about any web site or service that requires Single-factor authentication (a username and a password).
Some of the security we already have in place are account lockout mechanisms to prevent brute force or guessing attacks, we have changed any default accounts / default passwords, encryption of the credentials using https etc etc.
My question is without either a username or password how do attackers try to penetrate or "hack" into a System that requires authentication credentials, essentially bypassing the login portal. Any pointers and best practice to help prevent such attacks would be much appreciated.