(no title)

That way you don't log private user data (EU laws etc) and it can't be used to lock someone out of their account.

The only way around this is to attack from a lot of different IPs and that, too, is very easily detectable and solvable in a user friendly way.

Really, how hard is it? I would expect this to be the default for big companies by now.