Thank you for the suggestions.
You are right that currently Sitefinity is vulnerable to this kind of brute force attacks.
We are actually working now on improving our TelerikMembershipProvider to support the basic SqlMembershipProvider functionality
for password lockout. It will be available in Sitefinity 3.1.
At the time being, you could modify the login page ( ~/Sitefinity/Login.aspx
) to fit your needs.
Your requirement for reset user is quite specific, we are not sure that it will be implemented in the next version, as we intend to add only the basic functionality for locking user. However, we believe that you will be able to add any additional functionality in the Login form.
A CAPTCHA implementation can be done by customizing the login page ( /Sitefinity/Login.aspx ). It should not be a problem to add such functionality. However, we are not planning to provide a CAPTCHA generator for Sitefinity because it would be vulnerable to relay attacks and would be quite useless.
Please, let us know if you have additional questions or suggestions.
the Telerik team