Preventing dictionary attacks on a web application

Question

What\'s the best way to prevent a dictionary attack? I\'ve thought up several implementations but they all seem to have some flaw in them:

1. Lock out a user after X

Answer 1

There is an eternal tradeoff between security, availability and usability, which means that there is no perfect solution.

A decent tradeoff, depending on your situation, is to use option #1 with a captcha. Lock the account after three failed attempts, but allow subsequent login attempts if a captcha is correctly solved.