I agree that this would be a nice addition. I was thinking of the same thing lately. Would be nice to capture some brainstorming of what should be done:

1. On 3 (configurable) failed logins, lock the account for 5 minutes. Potentially for this single IP?
2. SOAP API should be secured in the same way / make sure there is a way to disable SOAP API all together.
3. Email account owner on failed login attempts / account locking while providing the IP address of the failed attempt.
4. Log failed login attempts (these events are consumed by the Event Log plugin).

Hi there,

It´s is also related to thread http://www.mantisbt.org/bugs/view.php?id=9788

This is what the config_defaults_inc.php says about $g_max_failed_login_count

/**

• Max. attempts to login using a wrong password before lock the account.

• When locked, it's required to reset the password (lost password)

• Value resets to zero at each successfully login

• Set to OFF to disable this control

• @global int $g_max_failed_login_count

*/

I didn´t really explore the code, but I can say that the statement "Value resets to zero at each successfully login
" makes this feature useless or let´s say: makes it 'not working' ...

When attemping to login with wrong username/password, browser message is: "Your account may be disabled or blocked or the username/password you entered is incorrect."

But thats not true - account isn´t disabled or blocked. After $g_max_failed_login_count an attacker can keep on trying to brute force.

It should show eg.: "Your account is disabled or blocked. Even if you provide the correct username and password this time, login isn´t possible. Please click 'Lost your password?' to make use of password reset functionality.". ... And of course the "Value resets to zero" thing should be removed rersp. rewritten.