It's not Fort Knox, mainly because I refuse to take much information from users, so even if baddies get in, they won't get much they can use.

Admins can't log into the frontend (as admins), so hackers can't deduce power user logins from this, or escalate privileges.

That's kind of blasphemy, with the HN crowd, I know, but we aren't interested in selling anything. It's a pure service.

I won't limit retries, because locking users is about as bad as you can get, with userabusability. I just make sure that the fox ain't worth the chase, and make the chase just a bit more difficult, so hackers will waste their time on low-hanging fruit (that tastes pretty bad).

Depending on what jurisdiction you're in, it still could be a legal risk due to PII leaking.

That’s why we drastically limit collection of PII.

It really seems to be unusual, for folks to limit data collection. I’m always surprised, when folks seem surprised at how little we collect (and we don't actually "collect" the data, as it never leaves the server, and we don't really do anything with the bit we have. It's just enough to give the user a unique ID, and allow other users to anonymously contact them).

It does make administration and forensics a bit more challenging, but that’s our problem; not the user’s.