> Then again, it would be pretty difficult to brute force a password in Battle.net, to be honest. I'm assuming they'd lock out the account after just a handful of tries.

Correct. ~5 failed attempts forces you to use your authenticator code, and if you don't have one, you need to use their reset form and a captcha.