It is possible to build a client which sends username+password combinations as many time as you like.

.. and if you have username, it is much easier to get in.

To stop this the following can be implemented:

1) Lock user after sequential X incorrect logins

• X can be set by administrator
• if admin's own username is locked, it should be possible to unlock from console

2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins

• Y can be set by administrator
• IP can be removed from Blacklist by admin and it also should be possible to do from console

3) can be also done by using "bullet time" after sequential Z incorrect logins

• when hacker has been tried Z times to login then login period will take time 10 times longer
• when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
• .. until Y is reached and IP is set to blacklist