<p dir="ltr">Locked accounts are a terrible terrible idea. All they do is hand attackers an easy DOS vulnerability.
They'repure security theatre if your authentication isn't vulnerable to brute force attacks and an unreliable band-aid
ifthey are.<p dir="ltr">Having dealt with mechanisms for locking accounts in other database they're much more
complicatedthan they appear. You need to deal with different requirements for different users, have multiple knobs for
howit triggers and resolves, have tools for auditing the connection attempts to determine if they're legitimate and
identifywhere the incorrect attempts are coming from, and so on. And all that accomplishes in the best case scenario is
havinglots of busy-work support requests responding to locked accounts and in the worst case scenario upgrading minor
issuesinto major service outages.
