Currently we have
$wgPasswordAttemptThrottle = array( 'count' => 5, 'seconds' => 300 );
Which means people can only make 5 attempts in a 5 minute time span for a given (IP, user-account) pair.
We have to be careful about potential DOS attacks, but I think we should also have additional limits
I think in addition to the short term limit, we should also have a long term limit. long term limits are much less likely to accidentally catch a legit user, and much more likely to catch an attacker.
For example, I think we should also have a limit of 150 attempts per every 48 hours (for the IP, user-account tuple). Someone forgetting their password could conceivably, make more than 5 attempts in 5 minutes and accidentially lock themselves out, but it seems very unlikely anyone would legitimately make 150 incorrect guesses without a single correct guess in between.
I also think we should have limits for guesses based solely on the account (and not taking the source IP into consideration). Its reasonable to assume an attacker has a botnet at their disposal. Here we have to be careful, as this is also an easy DOS to lock someone out of their account. I think a limit of 100 attempts per every 10 minutes would be reasonable.
For limits based solely on IP (not taking targeted account into consideration), its harder to know what to do. There's a lot more potential for false positives (when many people share the same IP). Currently we show a CAPTCHA if there's been 3 fails in the last five minutes. That might be the best we can do. Maybe we could do something like, calculate the highest number of logins we get across the entire site in a five minute interval, double that number, and if a single IP exceeds that, block logins from that IP. At least that would slow down an attacker who doesn't care which account they compromise, as long as they compromise 1.