Recently i read an article is about prevent brute-force attack. It said that automatically disabling user accounts is a poor security mechanism to fight a dictionary attack. In the first place, If an attacker can disable an account by incorrectly guessing its password three times every 30 minutes, he can effectively prevent that user from ever accessing the system. In the second place, because this technique assumes that the attacker is keeping the username constant and varying the password. What if the attacker instead kept the password constant and varied the username? We already know that a large percentage of users use common passwords like “password”. A hacker using a dictionary attack could try “password” for each of the users in his username list, which would not only have a high chance of success, but would also evade the account lockout logic. An attacker could make thousands of login attempts, and even if every one of them failed, the system will only register one incorrect login per account.
Can anyone give me some suggestions to make the disable account more secure ?