Very ancient, solved problem
Digital's VAX/VMS operating system had a strong solution to this 25 years ago, so there's no excuse for such easily crackable login code.
After the third sequential failed login attempt VMS disconnected the login program from the account and replaced it with another program that looked and acted the same, but whose only actions were to log that it had been started and then accept and discard all following login attempts. Once the switch-over had occurred the account could not be used again until the local BOFH had reset it. The technique was reinforced by requiring users to select long passwords that were not in a dictionary of common words, etc.
This was in the days of dial-up access: the idea of the fake login program was to see how high you could run the perp's phone bill before he twigged that his automated dictionary attack was never going to work.
Adapting this approach to the Internet Age is easy: implementation is left as an exercise for the reader.