Since version 4.1.0.35 new login rules have been implemented:
The main rules:
- User can try up to 3 logins. 4-th incorrect try will block the account for 30 minutes
- Every new try will increase response time with 5 seconds, if it's incorrect. (1-st try: 5s, 2-nd try: 10s, 3-rd try: 15s, 4-th try: 20s and blocking)
- If the user requests a new password and confirms the process via e-mail, the 30 minute timeout (or whatever has left from it) is dropped and user can log in directly with the new password.
- If the 30 minutes timeout expires, user can try again 3 times.