diff --git a/config/PacketRateLimits.ron b/config/PacketRateLimits.ron
index cd6018a..1edf8cc 100644
--- a/config/PacketRateLimits.ron
+++ b/config/PacketRateLimits.ron
@@ -6,6 +6,7 @@
 
 (
   packets: [
+    (family: "Account", action: "Agree", limit: 1000),
     (family: "Attack", action: "Use", limit: 500),
     (family: "Bank", action: "Open", limit: 1000),
     (family: "Barber", action: "Open", limit: 1000),
diff --git a/src/player/player/handlers/account.rs b/src/player/player/handlers/account.rs
index 7c573e9..dbfdb48 100644
--- a/src/player/player/handlers/account.rs
+++ b/src/player/player/handlers/account.rs
@@ -275,7 +275,15 @@ impl Player {
             }
         };
 
+        self.login_attempts += 1;
+
         if !exists {
+            if self.login_attempts >= SETTINGS.server.max_login_attempts {
+                self.close("Too many password change attempts".to_string())
+                    .await;
+                return;
+            }
+
             let _ = self
                 .bus
                 .send(
@@ -328,6 +336,12 @@ impl Player {
         let username: String = row.get("name").unwrap();
         let password_hash: String = row.get("password_hash").unwrap();
         if !validate_password(&username, &agree.old_password, &password_hash) {
+            if self.login_attempts >= SETTINGS.server.max_login_attempts {
+                self.close("Too many password change attempts".to_string())
+                    .await;
+                return;
+            }
+
             let _ = self
                 .bus
                 .send(
@@ -344,6 +358,8 @@ impl Player {
             return;
         }
 
+        self.login_attempts = 0;
+
         let account_id: i32 = row.get("id").unwrap();
 
         let password_hash = generate_password_hash(&username, &agree.new_password);