I realise quite a lot of people use VNC, quite often on internet-connected systems.

1. Is there any theoretical barrier to a VNC password being brute-forced reasonably easily / quickly?

2. Is there any logging in VNC servers for incorrect passwords.

3. Does the IP of connections get logged?

It strikes me that although VNC uses a (fairly) strong password authentication scheme itself, there are no mechanisms to prevent brute-forcing.

Also as VNC has no usernames, forcing VNC passwords only is required, as there is not a username required.

If these things are true, should we not petition [i.e. make] for a stronger version of VNC?

PS: Don't flame me for putting this in *NIX, I realise VNC works on non-UNIX systems too, but there isn't a "Platform independent security discussions" forum.