I could call that list deliberately malicious from user experience standpoint:<p>>Are password entropy checks done during user sign-up, using, say AUTH_PASSWORD_VALIDATORS?<p>No. It's my information to be stolen, not yours. So then it is my choice, whether to use 123 as password or not. Why should I care to manage the complex password, when I use your service eg. twice an year and have no important information there? (if you really believe that people are eager to fill website with their authentic personal info unless they do not have other options, you are probably fooling yourself).<p>The better alternative is just no registration at all :)<p>>Are failed login attempts throttled and IP addresses banned after a number of unsuccessful attempts<p>So, you hadn't listened the previous piece of advice and forced me to create password that would've passed through the password checker. Six months passed and now I have to remember (I really don't want to bother with managing and storing password to your service anyway) it. As you could imagine, it takes several tries, dozen or two, maybe even three - depending on that cool password validator of yours. Do you say, that I need to use tor or have some pool of spare IP adresses just to login to your service?<p>>Are all form fields (with the exception of password fields) validated with a restrictive regex?<p>Aha, start with an email and surname, polish with an address;) Then your service will make it straight to the oblivion even faster!<p>>Do you have an account recovery flow? Delete it immediately.<p>Quite appropriate actually: when all tor exit nodes are banned by your login attempt throttler, that retards with severe memory impairment (whom you sometimes by mistake call "clients" in your marketing bullshit) still must not have a glimpse of a chance to use their account!