Credential stuffing attacks and possible solutions for web frameworks(ie Django)

Hey everyone I want to share my personal and real-world experience about credential stuffing attacks. These are very hard to solve because fundamentally it's users fault, especially the ones with password-reuse habit. Nevertheless we responsible developers are the ones who should keep the internet safe, so feel free to chime in, evaluate my solutions and maybe we come up with "the" best practice against this type of attacks.

If there's interest I want to make this into a library and open source a django-specific solution as it's my everyday framework. The discussion applies to ALL web frameworks.