I have built 2 types of CMS admins before, my first one, was
a user/pass which you would have 3 tries until it blocks your ip
and the 2nd is what I currently use. where you have to enter a passcode (of course using teh random md5) after that, it also needs to be accepted by the main ip (ip address acts as your user, new ip.. have to relog) so it wont allow anyone to actually try to attempt a login, because it has to be approved by an existing ip. I build that on my iphone as well, so if my boss is out of town, he can txt me to approve his new ip..etc works out pretty well so far.
(before the cms, we would just lock the directory to only our office ip, but that restricts too much)