For #8, rememdiate by storing the attempt counter in the database. Consider how to make it tamper-resistant.