Unless there is not a pretty standard anti-brute forcing measure in place where the login is disabled for X amount of time after X amount of failures, that third point is completely valid. I haven't tested it myself.