From the drupal security mailing list (http://groups.drupal.org/node/293943#comment-914498):
"If you have good passwords on the accounts you value, you might actually better off with the brute-force than with login_security and the multi-factor authentication modules.
It is in general wise to limit the reflex to solve a perceived problem by adding yet another module and first investigate trade-offs.
When following the advice, you may be trading potential vulnerabilities for others. Bugs in multi-factor authentication modules can have devastating consequences.
login_security itself also has a number of problems. To quote dstol on IRC: "give me a site with login_security enabled and i can dos it offline with next to no effort".
In summary: I'd hesitate to install any of these modules without doing a very thorough review."
Prevents brute force password attacks
Options:
limit the number of invalid login attempts before blocking accounts
deny access by IP address, temporarily or permanently.