I would like to see a max invalid login attempt lockout mechanism. In most of the Perl script that I use I always have to code this functionality, it would be nice to get it out of the box instead of having to code it myself. Obviously these options should be dissabled by default and the admin should be able to set the max_invalid_login_attempts variable as well as unlock locked accounts. The owner should be able to unlock the account by requesting an email be sent to his stored email account. This email should have an unlock key which the user can use at the website to ulock his account.