Comment 0 for bug 457358

* Currently, there's no mechanism in place to prevent an attacker from performing a time-unlimited brute force login attack against any account.
                * Best practice is to lock an account after a few unsuccessful login attempts.
                * I recommend a temporary lock: after 5 bad attempts, no attempt will succeed for 5 minutes. This is self-managing.
                * DoD: any locking mechanism can be exploited for a DoS attack. We should be monitoring the server logs for excessive "login failed" events and be able to respond.
                * Also see: http://www.codinghorror.com/blog/archives/001206.html