Brute force attack using different IPs

[ahmadnazir]

This bundle doesn't take into consideration that different IP addresses might be used to brute force a specific username. However, blocking the account based on multiple attempts for a specific username, irrespective of the IP address, creates another problem i.e. user A can attempt to log in as user B, hence blocking access for user B. To overcome this, we need to make sure that access for user B is allowed from a pre-saved/whitelisted IP address.

Do you have any opinion/thoughts on the matter?

[SchizoDuckie]

I would like it a lot if there's some in-memory counter somewhere that checks how many failed attempts a specific username has had for the last 24/48 hours.

This would prevent a lot of the 'tor' attacks imo.