You can’t really prevent a brute force attack. Even if you prevent it from one IP or so, you can still do “distributed” brute force attacks.
Also only allowing one password per 5 seconds or so per IP will not work if you have lots of users and they are at work and have the same IP.
as a young IT with friends who dont know much about IT i have to say that most around 20 use reddit, instagram, … cause its the only thing they know. everyone they know uses them and many of them want likes, …
if they would join the fediverse:
=> give it a few more years and get your friends, family & collegues on here and see the fediverse grow