Add a configuration variable to allow for brute force protection, where an IP address is locked out for a specified time after so many failed login attempts.
Not necessarily a high priority right now, but as the install-base begins to grow we could definitely see bots start targeting installs, especially if they have a weak API key.