Re: It only makes it easier to crack...
One possible compromise would be that if the login is not successful, just delay the rejection response for a period of time, for example, 10 seconds.
So now you are open to DoS via resource depletion. What's your next plan?
How so? So user Tom38 has a 10 second or so wait before his next login attempt shows up (some pages take longer than that to load!), or ip 118.234.567.8910 takes 10 seconds before the page comes through. How's that a DoS? Only those who have typed a wrong password get the delay. I fail to see how that is a DoS?