If the password is being submitted from a non-secure, unencrypted webpage, you might as well have no security at all. If the passwords are stored in a file somewhere in the web directory structure and not in a remote database, that’s even worse. If any of the above is true, then brute force isn’t necessary to obtain passwords or bypass the login screen. At the very least, you should implement a challenge response system with a maximum number of retries before disabling the account. You should also implement a better password picking policy. I’m surprised that you have developers coding it any other way… well, maybe I shouldn’t be. 