If extra layer of "difficulty" is introduced by giving the users the choice of an instance is enough to keep them away, then I'm all for it.
It just needs to be easier for the ones that managed to figure it all out (better apps, stability, UI/UX, and QOL updates)
IMO the only algorithm I'll accept for lemmy/kbin is slightly faster "expiration" for posts, sometimes some posts stay too long on my frontpage.
I think it's good practice to change passwords after an attack no matter what