I'm adding brute force protection to a website and was trying to decide on the best way. Realistically, blocking the IP for 30 mins may not be the way as the system is for an entire office and they would all be blocked.
As an alternative, I was thinking of locking a particular account following 3 failed login attempts.
Would this be effective? My thinking is a dictionary attack my stumble upon a correct username, but the likelihood of the correct password being found in 3 attempts is slim to say the least.
Has anyone had much experience with this, or could recommend a better option?