I installed this plugin to test it out on a dev project I am working on. I just entered some wrong information in the login prompt multiple times to check the slow down. Which worked in a browser based log in scenario. A partner that we work with was attempting a brute force attack from another location. They managed over 700 failed attempts from the same IP, almost 600 attempts used the same Username in a little less than 1 hour and 30 minutes. I will find out what method they were using tomorrow. That's pretty disconcerting though. If the tiered slow down was working there is no way they could have logged that many attempts in 1.5 hours. Right?
With that said, I am guessing my IP is now locking my user out. I made 8 or so intentional erroneous logins. Now when I try and log in I get the password reset prompts. I enter the username, click on the link in the email sent, reset the password, login with username and new password successfully, but when I click on the dashboard it kicks me to the password reset function again.
I RDP'd into a remote box and preformed the password reset function and successfully get into wp-admin. When I switch back over to the local machine afterwards, boom, password reset rigamarole!