I understand that as of phpBB 3.0.9-RC1 the handling of login attempts was changed from a per-user account basis to a per-IP basis (as described in
As the comment by maniac 2 on that issue already pointed out, this change can be quite counter productive in certain environments. The user suggested this in cases of using phpBB in (or from) larger organization where all attempts would come from the same IP address and hence a failure of user x to login would impact user y's login attempts.
This is bad because of two reasons IMO:
1. User y being presented with the login-failure message would incorrectly assume that someone tried to hack into his account (i.e. entered the wrong password) while actually the login attempts were done for a completely different user(name).
2. It's causing inconvenience because suddenly all users from that company would have to solve the captcha just because a single user mistyped his password.
The matter becomes even worse in scenarios where the phpBB is run in a privacy focused environment where IP addresses would not be recorded at all (and rather always be reported as 127.0.0.1 — f.e. by using the removeip Apache 2 mod). In my case this is exactly what I'm doing and basically every user of my board will always have to enter the captcha now.
I do understand the rational behind the original change and I won't argue that it's in general a better behavior than the older username-based login attempt counters.
Still, I'd like to see this to get improved one way or another. Providing a config setting to disable ip-based-login-attempt counters (which then fall back to username-based login counters as it was pre 3.0.9-RC1) might be an option. Alternatively an IP-whitelist could be added, so for the IP addresses on that list, the username-based login counters would always be used.
A third alternative would be to at least disable the IP-based-counters for the 127.0.0.1 IP (localhost) and at least in this case fall back to the username based login attempt counters.