Return 429 when too many login attempt
For now, we sleep exponentially on login attempt (to prevent brute force attack).
But the sleep could become very long (even if we count only attempts over a session timeout period) and so it consumes resource on the server.
I think an option to mitigate this resource consummation will be to return unconditionally a 429 status ('Too many request'). Of course this will block the legitimate user to login during such attack but it was already the case. But I think this error message will be more meaningful than unresponsive server for a very long time. And also the administrator could be notify from such attack by looking at the log for 429 status.