If you're using the built-in ASP.NET membership provider, there's a property you can set called passwordAttemptThreshold
. After a certain number of attempts the account will automatically be locked. While you can still be brute-force attacked, the chances of an account being compromised within the passwordAttemptThreshold
is sufficiently low. Also, you can enforce a password policy with the membership provider as well, which really makes brute-force attacks less likely.
Granted, this doesn't answer your exact question, however you may still find it more prudent to simply prevent brute-force attacks from happening in the first place. Whatever brute-force library you find, there will always be a better one out there - and the good ones probably aren't even available as they are no doubt a closely-guarded secret of real hackers.