With default cake login procedures a user could try unlimited passwords to one specific account. That means, if you write a bot that tries every possible combination (thousand times per minute!), this bot could eventually gain access to the account….