Brute force password attack
I recently downloaded and installed Vanilla Forums on my laptop to test before I upload it to my website. During testing I noticed that there is no protection against brute force password attacks. The login system only blocks password attempts that are faster than 1 second (as far as I know).
So if a hacker writes a script that attempts to log into an account every 1.5 seconds, they can try 57,600 different passwords in one day or 403,200 in a week. That’s quite scary to me or am I missing something?
Would it not be better to have a reCAPTCHA pop up after a few failed login attempts or maybe make waiting time longer between failed log in attempts?