Two things that are missing: first, to protect against brute-force attack it is good to institute a negligible at first delay in the authentication process, increasing the delay after several failed attempts (perhaps only for give IP).
Second, if a password complexity rule prevents the user from using a password manager, it is not a good rule.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Two things that are missing: first, to protect against brute-force attack it is good to institute a negligible at first delay in the authentication process, increasing the delay after several failed attempts (perhaps only for give IP).
Second, if a password complexity rule prevents the user from using a password manager, it is not a good rule.