[tialaramex]

Use something like random token buckets not simple rate limiting.

If a user fails credential checks (e.g. password), track it, if their current failure rate is N, tell them they tried too many wrong credentials, come back later. Every random(1,T) seconds any failed users get their failure count reduced by one until it's zero and you stop tracking it for now.

By choosing N and T you can give users a relatively large number of "goes" to remember their password after a long period away, but not give attackers too many chances to guess a not-awful password by brute force.

For example if N is 10 and T is 7200 then a user can try ten passwords, then an average of 24 more attempts per day but exactly when they can make another attempt is random. This allows your good guys to have a fair chance against any bad guys smashing the "retry" button to try to lock them out. If the bad guys give up and go away, the user quickly returns to having ten attempts.