And exponential backoff is fine but not when it gets to be too much, it turns into a DoS problem. You could try to key it by IP and never let it go past, say, 2 minutes per source IP.

i.e., if me simply knowing someone's account name lets me disable their account for the next day or longer, that's a big problem.