Rate limiting surely must help?
I see he suggests blocking stuff even in the top 1mill most common passwords.
Assuming my server's current SSH password fits that, you'll have a fairly poor chance. Even if you "get lucky" and would've hit on it in your first 1,000 tries... Fail2ban kicks you out for at least 5 hours after 3 failed tries on any service (not sure if it combines all services ie fail HTTPS login, fail SMTP, fail IMAP = ban). Denyhosts(more focused on SSH IIRC) kicks you out by blacklisting your IP, and said IP is blacklisted until I remove it if I remove it. When I used to care if I was seeing lots of IP's from a similar range or host (including things like AWS) or Comcast I'd contact the ISP but also block them till I heard back except NZ ISP's (didn't want to risk blocking a significant chunk of potential customers!). I must say Comcast were actually the best at dealing with complaints in my experience, while NZ ISPs were collectively the worst, usually didn't even respond (Actrix were pretty good though).
I digress. I use tools to rate limit and ban IP's either for several hours or indefinitely for failed login attempts. The vast majority of script kiddies/bots etc are going to go elsewhere. If I were a juicier target then perhaps a more determined attacker would be willing to try again after 5 hours, but it's unlikely what I have running today warrants that level of attention/effort.
Oh, my bank doesn't do 2fa, but it does have a pretty decent login system and only 3 failures before you have to visit a branch to get your access restored.
TL;DR Good rate limiting can means you can only make a couple of attempts every few hours, or even have to get your account manually reset.