So I have read some articles on how to implement a brute force login protection, but all of them seem to have some sort of drawback, so heres the approaches I found:
Captcha
Since there are "captcha solvers", I don't think this is very efficient.Ban IP address based on # of failed login attempts
Well this could lead to a lot extra work on the help desk and malicious attackers can intentionally lock out innocent clients by faking their iplock out account for # of failed login attempts
Same reason as above, malicious attackers can lock out clientshoney pot
Well, I don't think this will work for any experienced hackersdevice cookies
This is by far the best one I have found, it does increase security but is not enough by itself.
So if all above techniques have some degree of drawbacks, how do big sites like google, freelancer implement BFP? Is it just a combination of everything, or is there something I missed out?
Besides, can attackers figure out usernames from abusing the signup username check?