I notice that account lockout status is not reset when a password is reset. This allows an attacker to execute a denial-of-service attack against anyone whose username or email address he knows. Given that usernames are public information on this forum, all the attacker has to do is choose a username from https://www.howtoforge.com/community/members/ and purposely fail several logins in that user's name, and the user will be unable to access his account until the timeout period expires. Needless to say, this can be done in an automated capacity, if the attacker wishes to be particularly annoying. Am I assessing the situation correctly? Or is there some non-obvious mechanism to prevent this type of abuse? Thanks for any insight!