• Require the attempts table to be defined so that rate limiting is enabled by default
• Set more reasonable defaults, the current defaults seem really strict. Maybe 15 attempts in 10 minutes and then lock for 60 minutes? Worst case, this permits 14 attempts every 10 minutes at most. Assuming our threat vector would be high speed automated attacks, this would slow them essentially to a crawl.
  • What does Django do? Looks like they have libraries that do this. What are their defaults?
• Do we really need three different sets of throttling params? Login, reset, and forgot? Maybe the flexibility makes sense since it's already built. But how about a generic set of config variables that are used as the defaults for the other three `KEGAUTH_ATTEMPT_LIMIT', etc.

FWIW, there are a few Django middleware libs that do this sort of thing, but none of them appear to have default values. They all expect the app developer to supply configuration for those values.