Mitigate brute force attacks on login page

[eluser]novice32[/eluser]
I just wanted to share the below for mitigating brute force attacks, which are often overlooked. Essentially, a valid login will get authenticated quickly, but an invalid will be delayed by 1 second.

Thoughts, anyone? I know you can block an IP after a number of failed attempts, but that seems risky and more complex.

Code:

function _login_valid()
    {

        $email = $this->input->post('email');
        $password = $this->input->post('password');
        if ($this->User_model->login_valid($email, $password) == false)
        {
            sleep(1); //if username and password combo is wrong, sleep for one second
            $this->form_validation->set_message('_login_valid', 'Invalid username and/or password.');
            return false;
        } else
        {
            return true;
        }
    }