To avoid dictionary attacks on login, when login fails the delay before the user can make another attempt should increase :
1st failed login no delay
2nd failed login 2 sec delay
3rd failed login 4 sec delay
4th failed login 8 sec delay
5th failed login 16 sec delay
...
Source : http://www.codinghorror.com/blog/archives/001206.html