I would definitely count the number of unsuccessful tries for a particular user. Then put in a sleep of one second for each unsuccessful try. So the first unsuccessful trye wil take 1 second, the second 2 etc. etc. This will at least slow the attack down, but may have turned it into a unwanted DoS attack if more attempts are made before the previous has returned its result..

So you would need to be a little smarter, by somehow flagging that a sleep after an unsuccessful attempt is occurring. And simply break the connection on any attempts being made while in a "sleep" period (as this indicates a parallel, and most likely programmed attack). If you find two or more parallel requests, I think you can safely assume you have an attack on your hands and appropriate actions (notifying admins, blocking IP number, etc) may be needed.

Of course, once the user properly supplies the password, reset the failed tries counter.

No code, just a principle course of action. Hope it helps.

Liz