You're Probably Storing Passwords Incorrectly

@Gregory Magarshak: No!

First: “just uppercase it” as a password input policy unnecessarily weakens user passwords. If someone doesn’t want to remember the case in their password, they won’t put it in.

Second: you should never return a message that says EITHER “account doesn’t exist” OR “wrong password”. All this does is allow people to find out if a particular user name is valid in the system! Bad! It should simply tell you “Bad username/password combination” or something to that effect.

Third: not allowing two logins within five seconds would annoy the crap out of me. I would stop using any website that had this function. I botch a password here and there, in which case I don’t want to have to wait even one second to try again. Now I can appreciate what you’re trying to do. But it’s just as effective to lock out a user (or maybe better, an IP address) for attempting 1,000 logins in some time period (say, a day). No cracking effort should be likely to succeed in 1,000 attempts unless your passwords are ridiculously short.