Force requests to wait after multiple failed login attempts

The idea for this thread started here.

Since login requires just a password, bots can use brute force to break into a site. So you should force requests to wait if they have failed to login a few times. For example, after 5 failed attempts, the user has to wait 20 minutes.

Priority 3.