What’s the algorithm it uses? For example, how many login attempts does it take for a user to be locked out? What happens if a legitimate user forgets their password and reaches their lockout limit? Are they permanently locked or is there a way to unlock them? How are you tracking users? By IP? By cookie?
