So on the server side, be sure to put a time delay between login attempts, and lock the account after a few bad login attempts.

And give attackers an easy denial of service attack? (Deny our customers service -- no botnet needed!)