That prevents brute force attacks against one specific account, but not against an attack against all users of a site. If you have the capability to make, say, 10k login attempts per second (no idea if that's realistic), you don't slow down to 1 attempt/second, you just attack 10k different accounts once every second.
IP blocks can be countered in other ways (botnets, tor, etc).
I'm not saying it's a bad idea though, there doesn't seem to be any downside apart from the book-keeping required. You could probably start with a higher delay (5 to 10 seconds seems very reasonable) and increase it to several minutes. But please don't make it 24 hours after 3 failed attempts, which happened to me when I tried to order train tickets online and forced me to make a trip to a physical ticket vending machine.
The site should have the capability to detect login attempt for multiple attempts - Show captcha
Same account login attempt from multiple IPs - show captcha
With the above: a simple time wait for next attempt could solve the issue for most legit attempts right?
IP blocks can be countered in other ways (botnets, tor, etc).
I'm not saying it's a bad idea though, there doesn't seem to be any downside apart from the book-keeping required. You could probably start with a higher delay (5 to 10 seconds seems very reasonable) and increase it to several minutes. But please don't make it 24 hours after 3 failed attempts, which happened to me when I tried to order train tickets online and forced me to make a trip to a physical ticket vending machine.