[rwdim]

The problem with this statement is that no computer can test 100B passwords against today’s authentication mechanisms in any meaningful way without being blocked or IP banned. A worm or other distributed mechanism is the only way to test any large number of passwords against a viable authentication mechanism so as to require the mechanism to block ALL IP access or disable the account.

So, yeah, your password is probably safe unless it’s something ridiculously simple.

Enable 2FA and your accounts are virtually impregnable, unless of course you have already been compromised before doing so.

[hackernewslol]

If the hacker has direct DB access (as they so often do), then rate limits don't really matter (nor does 2fa, they can just get the secret right out of the database and use that to generate their own codes).