I have created Issue 336 with a patch that adds brute-force attack protection to the admin application using the input gathered from everyone:
http://code.google.com/p/web2py/issues/detail?id=336 This does NOT add a password complexity requirement, as it seems this is a touchy issue at the moment (understandable). Instead, this takes Massimo's idea of an increasing delay based on the number of failed attempts. After the fourth failed login attempt, the user is told they have one more attempt before being locked out. After the fifth failed attempt, the IP address is locked out permanently. If, at any time before the lock out, the user enters the correct password, then failed attempt counter is reset to zero. The Google Code issue has all the details, including instructions on how to unblock an IP address. I have done some extensive testing using a number of use cases, so I hope this works as advertised.