@elmer:This is so far the most effective way to block bad guys from brute force trying your passwords.
I always think it should be good idea to ban an IP if user trying too many bad attempts from there. Maybe I should add this suggestion to MS Connect.
EDIT: I'm making my suggestion here. See if there's something to add/change.