Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
This solution is impossible to implement without making regular users lives difficult.
Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.