Originally Posted by devinmaking
So having a 15 minutes is a little to much then.
Would you want to wait that long to try again if your finger slipped and you mistyped your password?
You might lock an account for that long after several wrong passwords have been entered but not on each attempt.
The suggestion of a lock for a few seconds is after each and every wrong attempt or attempt while locked. So typing a wrong password would lock the account for a few seconds - which most people would use up simply in realising that they typed it wrong and to retype it - so that a person shouldn't even notice the lock. Only a bot that is submitting 1000 passwords a second would be affected.