I saw a creative approach to this once…
For each login attempt, that fails, the lockout time increases… exponentially.
attempt | lockout time
======================
1 | 2s
2 | 4s
3 | 8s
4 | 16s
5 | 32s
6 | 64s
7 | 128s
8 | 256s
9 | 512s
10 | 1024s
In theory, it lets user make a mistake or two, but as soon as it appears to become a “hacking” attempt, the hacker gets locked out for longer and longer time periods.
I haven’t used this myself (yet), but conceptually I quite like the idea. Of course on successful login, the counter is reset.