Naive solution*
How is this brute-force attack protection. What are the chances of getting it correct in the first login attempt?