[EGreg]

I have never found a good solution to the trade-off of protection against brute-force vs availability.

If I disallow X requests per second then I might enable DOS attacks on a user.

What if a cluster of zombie machines around the world is attempting to log in as a politician to gmail at their publicly known address? How would the politician ever get in, if login attempts are rate limited?

[anaolykarpov]

the rate limit can be per username/per ip address/per time period (you receive one notification once every 10 minutes), or a combination. Yes, when you have a botnet of a few thousands computers you could DoS someone. But with that in hand you can also DoS every web service on the internet (with a few exceptions)

[EGreg]

But sometimes DoSing an individual is more effective