10 minutes +1ms vs 10minutes +2ms can still leak information.

Ideally you want something like 3 seconds per password per IP starting the timer before you look up the password.

If you had to wait 10 minutes to login to a website every time, you'd very quickly stop bothering to log in.

You'd rule out all the legitimate users and only be left with people trying to break in. That strategy would only work on a honey-pot site.