I've seen web apps with limitations for user login attempts.
Is it a security necessity and, if so, why?
For example: you had three failed login attempts, let's try again in 10 minutes!!
I saw a creative approach to this once...
For each login attempt, that fails, the lockout time increases... exponentially.
attempt | lockout time
======================
1 | 2s
2 | 4s
3 | 8s
4 | 16s
5 | 32s
6 | 64s
7 | 128s
8 | 256s
9 | 512s
10 | 1024s
In theory, it lets user make a mistake or two, but as soon as it appears to become a "hacking" attempt, the hacker gets locked out for longer and longer time periods.
I haven't used this myself (yet), but conceptually I quite like the idea. Of course on successful login, the counter is reset.