[eluser]Dam1an[/eluser]
why implement an elaborate solution, just to use the weakest hashing algorithm known to man?
Also, it's more traditional to not block the user, but to prevent login attempts for 15 or so minutes
This means they need
(number of password combinations / 3) * 15 minutes
to try them all... not gonna happen
Also, never underestimate real users locking themselves out, which can become a support nightmare
Also, people with dynamic IPs may 'inherit' a blocked IP