I’m surprised that this notification was ever removed.*
Exacerbating this, it seems that the current rate limit settings are not working well. This comment suggests that it is possible to make at least 5 repeated failed attempts with a delay of at most 15 seconds between attempts, and at most a 6-min delay between such “bursts”; the claims of 30 attempts in 30 min, 400 attempts in 4 hours, or 400 attempts in 5 hours. This indicates that the average rate-limit delay is on the order of 30–60 seconds per attempt, and appears to suggest that the rate-limit is not escalated as the number of failed attempts accumulates.
I’m guessing that rate-limiting may be imposed (at least initially) on a per-IP basis, so that failures from one IP address does not rate-limit login attempts from other IP addresses. While this might have some benefit for users (allowing them to login to change their master password during an attack), it does seem that detection/suppression of distributed attacks can be improved, and that more aggressive escalation of rate-limiting in the face of a sustained attack is necessary.
*Addendum:
I just saw this in the description of PR #5676, which (without additional context) seems worrisome to me:
There is no longer a concept of “maximum login attempts” enforced by the server (or client).
A detailed explanation of the changes made seems warranted, so that the community can be informed of the current state of protection against brute-force attacks.