We know that all kinds of IT infrastructure is subject to brute force attacs - bots just trying billions of passwords till - by accidet - it finds the right one.
I wonder whether it wouldn't be a good thing to implement an algorithm which eg
- blocks login after 3 false login attempts for one minute
- then allows another 2 failed attempts and blocks login for 5 minutes
- then allows one last failed attempt and then blocks it forever till action is taken - eg respond to an unlock instructions email, which may require to send an unlock key file, a master password - or whatever.
Numbers for the schedule above of course can vary - we could set up different security profiles from which the admin can choose.
I'd really like to know what security experts think about this thought.