One of the OWASP projects I really like is AppSensor and I'm trying to find a way to integrate its concepts into TeamMentor.
So to kickstart this process, I just added a small delay to the login check (see this commit for the details)
I was playing around with the timings and I felt that 500ms was a good amount.
1000ms (1s) felt too much of a delay, and was affecting the user experience.
In principle, this simple 500ms should make a difference in an attacker's ability to brute force TM account details (username and password)