[walrus01]

at 25,000 login attempts per user if you're not doing common sense rate-limiting of attempts per username, and rate limiting per IP space origin (either discrete ipv4 /32 or attempts from within a whole ASN), you've got other problems.

the rate-limit and blockage time for attempts should increase ban time/lockout-timer on an exponential time scale the more that a single browser/useragent/browser fingerprint/IP makes incorrect attempts.

yes obviously there are people out there with fully automated systems who will try massive lists of commonly used plaintext passwords for authentication if you don't throttle/rate-limit it.

[FrenchDevRemote]

>yes obviously there are people out there with fully automated systems who will try massive lists of commonly used plaintext passwords for authentication if you don't throttle/rate-limit it.

and those people use single browser/single useragent/single browser fingerprint/single IP

the people competent enough to send millions of requests are usually also competent to send hard to detect requests

there are dozens of (free)tools/services offering those capabilities for LEGITIMATE purposes(like scraping)

there is an even bigger underworld market for paid tools for illegitimate purposes

[walrus01]

if you're sending millions of requests you still have a finite number of proxies to use, it would be thousands to tens of thousands of requests per discrete /32 ipv4 proxy address, and not hard to detect as an abnormal volume of attempts per IP.

even if you see something like a single /32 address that is probably the public facing endpoint of a mobile phone carrier's cgnat and has MANY users behind it, trying different password attempts, you can still rate limit the number of attempts per unique username.

the actual amount of legit requests that a human who has forgot their password makes is 99.9% of the time under ten requests per account before they give up.

[FrenchDevRemote]

And that "finite number" is tens of millions, or even hundred of millions, spread across providers, spread across almost any location. From 4G proxy farms, to botnets of residential IPs, to grey area apps that rewards user for sharing their connection.

And ok, let's assume it came from the same block of ips(which rarely happens) what do you do when those IP blocks are from IDK, Verizon or AT&T in the middle of New York?You block half the city?

+if the attacker is trying it on all accounts, what are you gonna do? rate limit all accounts? and now anytime a user forgot his password he have to contact support because he can't even do it himself so your support is overwhelmed by 1000s of request every day?