On my website, many users lost their password when i converted from 2.0 to Olympus.
They failed the max authorized attempts, then asked for new passwords.
But when they activated and try to login again, they had a first failed attempt because the captcha code has to be reproduced, so they thought that the new password isn't working... and sent many emails for support.

I think it's more logical to reinitialize this counter when they click on the activation link in the confirmation email, so i moded it like this :

OPEN ucp/ucp_activate.php
SEARCH
if ($update_password)
{
$sql_ary = array(
'user_actkey' => '',
'user_password' => $user_row['user_newpasswd'],
'user_newpasswd' => '',
'user_pass_convert' => 0,

AFTER, ADD
'user_login_attempts' => 0,