Users, log-in logic should be improved to allow better mechanisms like, detect and lock a user who is trying to brute-forcely log-in, and optionaly show a Captcha.
With OutSystems 10, you now have built in bruteforce attacks protection, along with a series of other security protection mechanisms, managed centrally (e.g. HSTS, Content security policies). Some details at https://success.outsystems.com/Documentation/10/Getting_Started/01_New_in_OutSystems_10
As for Captchas, given there are multiple patterns, and no default is a good default for every type of application, we leave it to our developers to reuse common Captcha components available in the Forge (or others from the web).