I know that in the platform, people often ask to change passwords, and the response to that is that this should be done by your normal network management software. this is fine.

However, from what I can see there's no way to store repeated login attempts, and block users when they exceed a threshold - therfore the platform is open to brute force attacks.

This I think is something the platform should provide. Does anyone agree? (Or even, does it already do this somewhere that i'm missing?)

I'm asking because we security audit all our software using an external company, they will do this sort of thing, and I think we're about to run the audit against Pentaho (Which so far has been able to avoid this check!)