On Sun, Jun 29, Martin Wickman inscribed on the eternal scroll:

> In a nutshell:
>
> A client enters valid user name, but an invalid password. After a
> number of failed attempts, the account should be locked.

Provides any mischief maker with an instant denial-of-service attack.

> In this particular scenario, the action is to block the user, but
> there could be other actions. For instance notifying an admin by mail
> or sms, logging to a database etc.
>
> Obviously this is not trivial,

Seems easy enough to me as stated; just that it rates to create as
much of a problem as it solves.

And 'thanks' to the widespread availability of open proxies on the
internet nowadays (the spammers are already making enthusiastic use of
them), any attempt to confine the blockout to a particular IP could be
easily circumvented.