All the Password Provider implementations provided by default publish a “LoginAttemptMessage” every time they check a password value. This permits any org.springframework.context.ApplicationListener<LoginAttemptMessage> to react to the login. Only one implementation is active by default (as of 4.2.1): ome.security.auth.LoginAttemptListener which throttles logins after a given number of failed attempts. Configuration for this listener is available in Security:

omero.security.login_failure_throttle_count=1 # Number of failed attempts before throttling begins
omero.security.login_failure_throttle_time=3000 # Time in milliseconds

A more sophisticated listener would lock the user’s account until an administrator intervenes. This is the goal of #3139.