Description of problem: Currently the same lockout period is applied every time a lock out event is triggered, the lock out period should increase for each lockout event. Version-Release number of selected component (if applicable): 5.0 How reproducible: Write a script and give it the wrong password. Steps to Reproduce: 1. Write a script 2. enter valid user but invalid credentials 3. forget to check wtf is going on and blindly retry Actual results: Every 30 minutes you will get another shot at logging in and an email will be sent to the error list. If you have multiple IPs you can do the same from each IP. Expected results: The lock out period should be based on the total number of failed logins in the DB. The entities in the DB should get deleted on a successful login. Additional info: e.g. ( count(youloginfailures) / MAX_LOGIN_ATTEMPTS ) * LOGIN_LOCKOUT_INTERVAL ) minutes ( 5 / 5 ) * 30 = 30 minutes ( 150 / 5 ) * 30 = 900 minutes ( 352 / 5 ) * 30 = 2112 minutes
The current value is a balance between user friendly and BOFH.