Currently there is a relatively easy to trigger DoS in the try_login handling. Something like 160 parallel bad login requests will overload the server and block it.
Mitigation:
// if user not found, password wrong, account disabled:
xcache_inc("loginfail:{$ip}", 300); // 5 minute window
if ($val >= 5) {
xcache_set("lockout:{$ip}"), true);
"please wait $x minutes".
}