Just finished adding code to my "log-in.php" script which locks out a person after 3 consecutive failed log-in attempts.
Was feeling pretty proud of myself, when the following things occurred to me...
1.) Should I get rid of the "Forgot Password" link underneath the Log In Form, which basically re-sets the User's password if they forget it?
2.) If I lock someone out, then what is supposed to come next??
Personally, I added this security feature not to just prevent against Brute Force attacks, but also to prevent against someone continually trying to guess other people's passwords!!