On the other side, this makes it trivial to rate-limit an account from any IP.
I'd rather not change this and close the linked issue as won't fix /cc @Seldaek

Yeah i can see that. It boils down to what is the greatest risk and what does the most damage I guess. I'd say ip based restrictions are less and less useful because botnets are widely available and ipv6 let's you have a million ips easily. So the main thing ip based rate limiting fixes is that security researchers stop sending reports about lack of rate limiting..

Of course I may be wrong 🤷🏻‍♂️

At least it protects against me hitting F5 in a loop:D

i think a locked out account is a temporary problem, a hacked one isn't. the only downside is that it stays locked as long as it's under attack

Thinking more about it: I agree the IP dimension alone is weak (botnets, IPv6), but I don't think dropping it is the answer. It just swaps one attack (distributed brute-force) for another (targeted account-lockout DoS, trivially mountable from anywhere). For a default shipped to every Symfony app, the second failure mode feels worse than the first: a sustained attacker keeps named accounts (admins, support, on-call) frozen indefinitely.

We should add a third limiter keyed on username only, so the chain becomes: 1. IP only, 2. username+IP, 3. username only.

That'd cover the botnet case from the issue without making lockout-DoS a one-liner. Not perfect (a patient attacker can still saturate #3), but a real hardening rather than a tradeoff swap.

Also worth noting: this is a behavior change, so even if we go this route I'd target 8.x rather than 6.4.

Closing therefor. Thanks for submitting.