10 minutes +1ms vs 10minutes +2ms can still leak information.

Ideally you want something like 3 seconds per password per IP starting the timer before you look up the password.