@ Philip – your post has been merged into this relevant topic.
I created this exact same scenario. Created a page called /signup/ and password protected it. Did not get a 403 error and authentication worked fine. Which Brute Force Login protection code are you referring too? There are several different Brute Force Login protection code options. My first logical guess is that you used the IP based Brute Force Login protection code and your IP address was changed by your ISP, which it will do very frequently every 24 hours or every 3 days (DHCP).