Package: pam The default (only?) delay policy is awful. Bad logins should be rate-limited via a per-interface or per-user token bucket. Currently, any failed login forces a delay. There isn't any sort of allowance for a small number of typing errors. I hit this damn delay several times each day.
Choosing some numbers that seem like good defaults, the following is better: Add a token to a bucket once every 5 seconds, up to a max of 5 tokens in the bucket. Login attempts block until a token becomes available. A failed login removes a token. This way, slow and clumsy humans are unlikely to hit the delay. Automated attacks will quickly become rate-limited to 12/minute.