Hello António.
Bruteforce in login is a common weakness that can be easy to solve.
The most effective solution is implementing a CAPTCHA, in web2py I use google recaptcha because the implementation is easy and stops all the automations.
In py4web I'm still unable to implement it in the login form and there is no to much information about how to make it.
In web2py I'm quite sure that it is not possible to submit the same form twice because it has a csrf token or similar so the bruteforce is not that simple like repeating the login post. If a script resends the same post will be not processed due the token is reused.
In py4web forms have csrftoken but I'm not sure if they work the same like in web2py. Months ago it was possible to resend twice the same post data and accepted. I haven't tested in those days, but I will, because it is something that makes noise.
In my experience an account lockout policy is effective but very annoying to the users.
I would not say that brute force in login forms is a big task and consumes too much CPU. These functions usually are small and make small queries to the database. Most of the time a public endpoint like index or a landing page can consume more CPU than the login task.
Greetings.
Chris.