[Molomby]

Totally agree with your sentiment but in this case I don't see how rate limiting helps, or at least not much.

If you're building a botnet you don't need to crack any specific machine so you can distribute your attempts across more hosts. Eg. rather than hitting one machines with 1,000 pwords/sec you target 1,000 machines at 1 pword/sec each (or whatever rate you're limited too). There's no shortage of badly configured routers.

[3pt14159]

The number of people that have more than 10 machines at their disposal is much smaller and would have stayed much smaller if it weren't for this poor default in the first place.

I'd go further and just argue that password based login should do a password strength calculation by default and estimate how long it will take you to get cracked.

"You've entered the password this machine will be cracked in roughly 5 days. Would you like to set a different password? (n / Y)"