This would be for unauthenticated users trying to brute force sign ups or logins, once you're logged in I identify you with the email you used.
rate limiting by ip is common and good
Please Login to reply.
We still gonna hash it and maximum cache for 1 minute, I think it's a reasonable trade off.
Seems reasonable enough.
