Adam, Your idea is good but the implementation is bad. The solution presumes a malicious user is attempting to break passwords through a serialized attempt: try, wait, try, wait, try wait, etc. But anyone who can guess at your methodology will then just spawn N asynchronous requests, which will then defeat your security measure all together. A better solution is to disable the username, perhaps for a couple minutes, after N invalid attempts. And on your login screen, display the timestamp of the last successful login. This will give the true user some information to what is going on.
Paul
