[bayindirh]

Well, seeing how systems are brute-forced and how much speed you can achieve today, these delays are more and more welcome on my end.

[pseudalopex]

Authentication systems had lock out periods or increasing delays since decades. 1 attempt per 5 seconds and 12 attempts per minute would be equivalent for brute force. And 12 attempts per minute would be a very loose lock out policy.

[bayindirh]

However, it's a good starting point for any systems which might be user facing and reasonably secured by the network around the system.

There's such thing as bad defaults and starting too heavy-handed is starting with bad defaults.

In short, current default is a good compromise and a good default.