There are two distinct goals of software security: users must be allowed unhindered access to data that they are authorized to see, and bad actors must be denied access to data that they are not authorized to see. Satisfying one of these two goals often comes at the cost of the other. A password system which locks an account for 24 hours after three failed attempts could be used by bad actors to intentionally lock users out of their accounts, allowing for a denial of service attack. If, however, a user is allowed unlimited attempts at a password then a bad actor has more opportunities to brute force the password, which would give them access to unauthorized data. A secure system must then take into consideration the opportunities to afford unwanted access and the opportunity to deny intended services.