MAF-008: [MODERATE] No password bruteforce protection on login

[Floppy]

Description:

The application lacks protection against password bruteforce attacks during log in.

Technical description:

The login functionality does not have measures to prevent password brute-force attacks. This leaves the application vulnerable to automated attacks by trying multiple password combinations to gain unauthorized access.

Impact:

Attackers can attempt numerous password combinations, increasing the risk of account compromise.

Recommendation:

• [x] Implement account lockout mechanisms to temporarily lock accounts after a certain number of failed login attempts.
• [x] Implement rate limiting to restrict the number of login attempts from a single IP address within a given time frame. will fix later, see #2270
• ticketed for later: #2277
• ticketed for later: #2256 & #2255

[Floppy]

More work to do here in separate tickets, but all need more thought; the basic rate lockout mechanism is a good enough start to call this addressed...