Most brute-forcing at scale isn't for a specific account, it's for {uname,password} tuples. As in, you buy these combo lists online and rent a botnet to try them out on a list of sites.
What would your advice achieve?
I changed the "you" to "your advice", but I think that's a petty distraction since I'm making specific points against your advice, not you as a person. And this comment is an example of what seems to be a disconnect between your understood attack models and the attacks that people actually need to defend against.
Discord defends against combo lists by showing a CAPTCHA and asking for email confirmation if you log in from a new location, but no challenge is shown during the default login flow.
What would your advice achieve?
I changed the "you" to "your advice", but I think that's a petty distraction since I'm making specific points against your advice, not you as a person. And this comment is an example of what seems to be a disconnect between your understood attack models and the attacks that people actually need to defend against.