This is very practical; a per basis flood control. Slows down brute, minimal interruption to legit. If you run a posting type system, you can actually make use of the IP only to the sense that if the IP has been used in the past for posting, that chances are somewhat high that the user is legit and simply keyed in wrong. You can reduce flood controls for such situation to like 5 seconds which is about the time for them to read the message and try again.
I also implement temporary account lockouts though. I time them variably, but default would be set for 5 minutes. After three such attempts (of 5 or so attempts, so say 15 fails in total), I permanently lock the account, and send an email to the registered account with unlocking procedures to follow. This way they don't have to wait for me to unlock them.
If the user's anything like I am, and I'm quite patient in attempts, after about 5 or 6 failed attempts, I then run password reset procedures sine I've obviously forgotten my password by this point. So make sure you create a password reset mechanism as well.
header('HTTP/1.1 420 Enhance Your Calm');