At the serverside, theprotocolsets up a maximumtryingnumbertoprevent the brute-forceattack, anda look-aheadparameterto realize counterresynchronization.
Also, client-side JavaScript encryption has its limitations since it would still be susceptible to a server-side code poisoning attack executed either through a man-in-the-middle attack or the service provider acting maliciously or subject to jurisdictional court order.