Bind the login attempts to the IP address. As the blocking is NOT bound to an IP address, it is possible to block legitimate users, automatically trying to log with incorrect credentials every few minutes.
Limit the usage of "reset password" to prevent spamming the user with known email, it would be efficient in most cases to use it only a few times per day.
Add throttling to "reset password" functionality for wrong identity to prevent determination of the existence of valid email addresses.
Bind the login attempts to the IP address. As the blocking is NOT bound to an IP address, it is possible to block legitimate users, automatically trying to log with incorrect credentials every few minutes.
Limit the usage of "reset password" to prevent spamming the user with known email, it would be efficient in most cases to use it only a few times per day.
Add throttling to "reset password" functionality for wrong identity to prevent determination of the existence of valid email addresses.