The limiting of how many attempts to be made on a website are to prevent brute force (automated) attacks your site. If you don't limit these attempts, a hacker can set up a script to keep guessing passwords until it finds one, and this may impact the availability of your web server.

Typically, you may want to time the user out (10 minutes as you mentioned) after 3 attempts, and lock them out after 6 or 9 consecutive repeated attempts, forcing the user to contact you in order to unlock their account. This is put into place because someone can modify their scripts to adjust your timeout.

For my own projects I wrote a generalized 'floodcontrol' library which handles this sort of thing.

It allows me to specify how many attempts may be made in X amount of time. It allows for a certain number of 'grace' attempts in a short time, so that only really unusual behaviour will be caught.

I record in the database a few things:

• The IP address (or the first 24 bits of it)
• The action that was attempted (ie 'log in', 'search', 'comment')
• The time of the attempt
• Number of attempts (attempt counter)

For each attempt made I query against the partial IP address and the action, and if a previous attempt was made within a certain window of time then I increment the attempt counter for that attempt. If the attempt counter exceeds the number of grace attempts allowed then I check whether the last attempt was within X seconds of now and if so, return false - therefore the action will be blocked (and the user will be told to wait X seconds before trying again). If the attempt counter is below the number of grace attempts then I return true and let it slide.

If a person with the same IP comes by later, then the previous attempt count won't be fetched, because it will be too long ago.