Invalid password should not throw

This page is a capture in the next bucket of the product backlog — a pre-sprint idea, not yet pulled into a sprint as a story.

At present in the unlock test we have:

BOOST_LOG_SEV(lg, info) << "Locking account by failing 5 login attempts";
auto ip = internet::ipv4();
for (int i = 0; i < 5; ++i) {
    try {
        sut.login(account.username, "wrong_password", ip);
    } catch (...) {}
}

This is very suspicious; a failed login should just return false or the modern c++ equivalent (std::expected?).