Our security policy aims to make security a principal design behind Piwik. One aspect that bugs me currently is that good old brute force attacks could be vector of penetration in Piwik (if eg. attacker knows the login).

We should provide a core mechanism that would lock out, for 30min for example, a user after N failed attemps. Settings could be changed by the Super User and feature would be enabled by default, lock 30 min out after 5 failed attempts.

Implementation proposal:

• Record, using Piwik_SetOption, count of lockdown for each IP that fails to enter valid login / pwd combination
• After N failures, lock IP down and refuse authentication (even if the combination is actually valid!).
• Document as FAQ, linked from UI, the sql to delete all locked out IPs in case the SU was actually locked out and can't wait.