Some websites we're running have been audited for security issues and one problem is that we don't protect authentification forms against brute force.
It has been decided that we would implement a CAPTCHA system after several wrong auth attempts.
The problem I'm dugging now is finding on what criteria we could identify unique visitors.
Since our users are often grouped behind the same IP address, this criteria won't be enough. Cookies can be desactivated. I read somewhere in here an advice to use user agent and / or some keys from the HTTP request headers but I guess a trained hacker would generate new ones as he tries to brute force our websites.
Seeing that the conversion rates isn't an argument for our web site, what is the best pratice to identify unique visitors?
Thanks for your help!