even limiting to 3 instead of 5 is a good idea, if you mess up twice you're going to send the password to yourself and log in using the correct pw. like i said in my comment they can limit how many times you can send a pw to yourself so why not limit how many times you can attempt to log in in 24 hours?