Staring from 2.6 the user will be blocked after 10 attempts of logging in using invalid password.
User will see the following message in Management Console UI:
At any time, SuperAdmin user is able to generate reset password link. It's available in MC -> Configure -> Users page:
SuperAdmin must click red 'Blocked' alert link and generate reset link:
You may also reset user password at any time if you have terminal access to Management console machine. It is available through srvctrl control script. Just put the right name after resetpassword sub-command.
On Linux MC it would look like: