TYPO3 Core

I see no real benefit of changing the HTTP return code for failed logins and would like to refer to the same discussion in the Wordpress community - see: https://core.trac.wordpress.org/ticket/25446

TYPO3 has a rate limiter component since v11, which is able to block IP addresses for a certain time after a configurable amount of failed login attempts (backend/frontend logins).

TYPO3 sends different HTTP response codes on successful logins (303 for successful backend login and 303 for successful frontend login if redirect is enabled). This information can be used to configure an IPS system to monitor/block brute force login attempts.

Also, TYPO3 offers the following:

• Frontend login -> PSR-14 event LoginErrorOccurredEvent to add custom functionality (e.g. create a custom logfile)
• Backend login -> postLoginFailureProcessing hook to add custom functionality (e.g. create a custom logfile)
• Custom authentication log through logging framework -> https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Security/GuidelinesAdministrators/FurtherActions.html#events-in-typo3-log-files

So in general it should already be possible to configure an IPS system to detect failed logins in TYPO3 (but not by HTTP response status).

@Torben: What is the problem with a correct status code?
From my point of view, the HTTP status code is wrong and should be 401. The reason or use case is described.
Referring to events or hooks is not very helpful, why should I implement any custom code with events if the correct HTTP status would solve the issue?