I'm running web scans with Acunetix and the scan keeps reporting two alerts of "Login page password-guessing attack". Our application is built with ASP.NET and to combat this security alert, I've implemented account lockout that is provided with ASP.Identity. It works: if user enters wrong password five times, account gets locked for 5 minutes.
But Acunetix still reports a Login page password-guessing attack after scanning and tells me that our login page doesn't have any protection. I don't understand, why does this alert show up? Is account lockout for 5 minutes after 5 attempts not a good enough security measure?