Although we use bcrypt which should reduce the risk of brute forcing by being slow, we should probably have a limit on login attempts. I'm not sure what a good time limit/attempt limit to set would be but either way I think both should be configurable. From a UX perspective I really hate having to wait 15 minutes because I couldn't remember my password in 5 attempts, so I think it should be more forgiving that that, maybe 10 attempts in 2 minutes?
Although we use bcrypt which should reduce the risk of brute forcing by being slow, we should probably have a limit on login attempts. I'm not sure what a good time limit/attempt limit to set would be but either way I think both should be configurable. From a UX perspective I really hate having to wait 15 minutes because I couldn't remember my password in 5 attempts, so I think it should be more forgiving that that, maybe 10 attempts in 2 minutes?