Also please thwart brute force attempts
Also please thwart brute force attempts. The password policy is not good, but an attacker should also not be able to attempt to log in 1000s and 1000s of times. Shouldn't the account lock, or the IP address be blocked or something if there's 1000s of attempts? I mean obviously the answer should be "yes".