It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaneously, switching between targets as it gets locked out.
This won't help. They do not brute-force it like this.
What matters is the amount of entropy in the passphrase.
Please read what
PBKDF2 is.
It's even in principle possible to make a system where single word passwords like 'apple12' are safe, but key generation would be way too long.
That makes sense, I'm still locked into thinking about how an attack on a PC or client software works, rather than how attacks against the blockchains password database are implemented.
So the
PBKDF2 function produces a
derived key, using multiple (1000+) hashes of the original passphrase (+ optional
salt phrase) which has the effect of massively ramping up the computing power needed to reverse engineer the hash and thus the password/phrase.
Am I getting closer here?