In some cases, in some countries, this may not be the developer’s choice i.e. government forcing web sites to use better auth for important things (not random forums), important things like telecommunications and banking and maybe health.
There are tried and true defences against that. For example, as stated in the article:
Apple’s iOS, for instance, makes the user wait increasing lengths of time after each incorrect PIN guess.
It is arguable that the Librem 5 should offer the same (but that’s really an upstream problem).
I usually work to the theory that it should not be possible to online brute force in under 4 days i.e. the length of a long weekend (from someone who lives in the so-called “Land of the Long Weekend”) after which someone should detect the problem and raise the alarm etc.
So let’s say: your first 30 PIN attempts are standard 3 second delay, after which there is a mandatory 120 second delay between attempts. 4 digit PIN on average broken in 7 days (worst case 14 days).
Of course there are also other tried and true defences that are more aggressive e.g. after X failed attempts, the password is “locked” in
/etc/shadow so that password login to that account is not possible at all and you will be forced to do something else to gain access.
The article says
“There’s nothing to stop someone from guessing all the possible PINs,” says Engler, a security engineer at San Francisco-based security consultancy iSec Partners. "We often hear ‘no one would ever do that.’
Whether it is true or not that ‘no one would ever do that’, no legitimate user would ever do that. You would try a dozen times and then realise that you are “stuffed” and seek some other approach.
Note though that if you don’t use LUKS then your 4 digit PIN can be broken in a fraction of a second (offline) and no amount of defence within the system itself will make any difference.