Preventing dictionary attacks on a web application

Question

What\'s the best way to prevent a dictionary attack? I\'ve thought up several implementations but they all seem to have some flaw in them:

1. Lock out a user after X

Answer 1

It depends on what you mean by "prevent".

If you don't want them wasting your bandwidth, the throttling, lockout, etc are viable options. There is overhead with heat-tables -- you have to create and maintain the logic, store and administer the "heat maps", etc, etc. I've also seen some ip geolocation based systems that throw up a captcha or alters its log in profile if a user tries to log in from a "distant" or "unknown" ip.

If you simply want to massively reduce the effectiveness of dictionary attacks, use a salt in addition to password hashes.