Password Invalid causes infinite loop
If the password is invalid, the client will keep trying it, annoying the server (DDoS-like) and the user (unable to reset password, etc.)
It probably should have a limit on how many attempts to perform, and once hit, return a dlcode (finish the login sequence) and ask user if they want to retry or set a new password.
Also: The login failure warning should go away after a while. Right now they're stacking and this make client a bit unresponsive.