I am having fun today, one of my sites is being brute force attempted 100s of times with different IPs I don't know whether they are real IPs of some kind of cloaking.
But anyway, strikes me that if someone's tried 'admin' after one lockout or "dave' after 4 attempts that that username should be blocked for time A and then time B too no matter what IP. I have 4 login attempts so if I have password problems twice I make damn sure I know what it really is before trying again and a sensible adjunct to this plugin is an unusual username.
Wonderful plugin though, lifesaver.
A point worth noting is that some brute force attempts scan for authors so it's always wise to have your admin user not a post author.