Simply locking an account for one minute makes it horribly slow to try a brute force attack.
No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success.