ruwanta
commented
4 years ago -1. Very first users or developers of the downloaded pack does mistakes, including entering wrong passwords. Then the pack becomes unusable. Moreover, it is difficult to recover from this by inexperienced users (new to product). There are ways to get it back, but most probably spent considerable amount of time figuring out.
We need to keep first time developer (or evaluator) experience easy as possible.
One of the important countermeasures against the password dictionary attack is locking an account after number of failed login attempts(account locking login policy). It is not enabled by default. If it is not enabled in the real-world it is going to open a security risk. To improve the security of the deployments we should enable this feature by default.