Comment 9 for bug 963098

For our products I do not recommend having the functionality of locking user accounts because it bites back at you (easy denial of service, locked admin account, ...). I prefer increasing delays per client and a security warning for the admin, clearly logged somewhere. Such a log message should not contain the username entered by the client, but a user ID to avoid injection attacks and leaking of password that were accidently entered as username. The delay and the logging could be done by keystone (configurable) without patching the front-end (except for connection timeouts < login delays)

BTW, https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet