The limit is described as “limited to 15 requests per 60 minute period (starting from your first request).”

What does “your” mean? Your IP? Your username?

Let me go as far as to allow for both — Only 15 requests per hour will be accepted from a single IP. Only 15 requests per hour will be accepted, independent of IP, for a particular username.

Imagine a botnet with 300,000 zombie PCs. Imagine furthermore that your dictionary attack isn’t attacking passwords, but usernames. Since 300,000 PCs could each make 15 calls per hour, they could try using 4.5 million usernames against a given password. The machines don’t ever hit the limit of 15 requests per username per hour, because the requests all use different usernames.

Use a list of successfully guessed passwords in order of probability (I’m sure that “password” would net quite a few with 4.5 million random usernames…) and you can probably get several hundred thousand twitter account username/password combinations. If you distribute the passwords you’re trying evenly over a long period, you could probably even escape detection if Twitter tried to combat such an attack by being notified if a particular password was submitted at a higher rate than usual, since you’d be approximating the natural distribution of the use of those passwords, and by their very nature the normal volume of requests with those passwords is high…

Twittering as Barack Obama may help with a trust factor about links, but if your sister tweeted you something, you might follow the link, no? There’s a lot of value in controlling a positively huge number of accounts.

Twitter really does need to at least require more complex passwords to cut out the lowest hanging fruit and make the brute force less likely, if they’re going to continue to allow direct authentication.