Any reason why “aggressive” rate limiting can’t be “super aggressive” if a password matches one from the common list?
So instead of doubling the timeout (or whatever) between attempts, an attempt to use a password matching one in the list will give a 10x or 100x timeout?
If it’s a genuine user then the extra delay after trying ‘qwertyuiop’ instead of the ‘qwertyuiopILOVEBEER’ they changed it to when told that their initial choice was insecure might give them some time to ponder their life choices, but will likely not stop them getting in eventually.
An automated hack though will quickly run into an effective brick wall after only a few failed attempts and the timeout has reached a few hours.