Ideally you want something like 3 seconds per password per IP starting the timer before you look up the password.