The change password page on a web application did not lock accounts after multiple failed login attempts, allowing an attacker to keep guessing passwords through brute force. To prevent brute force password cracking, the application should be configured to lock accounts for 30 minutes after 10 consecutive invalid login attempts, in accordance with the National IT Security Password Policy. This would prevent ongoing password guessing attacks and the compromise of user accounts.