Preventing dictionary attacks on a web application

Question

What\'s the best way to prevent a dictionary attack? I\'ve thought up several implementations but they all seem to have some flaw in them:

1. Lock out a user after X

Answer 1

First off, stop your users from choosing common passwords. Add a "black list" to your database and check new passwords against them. You can populate it using one of many password or word lists, like here:

http://securityoverride.org/infusions/pro_download_panel/download.php?did=66

Second, consider a temporary lock-out. If you have a "User" table, add "LastLoginAttemptedOn" and "FailedLoginAttempts" columns. Update these values each time the user attempts to log in. When the user successfully logs in, reset FailedLoginAttempts back to 0. When FailedLoginAttempts reaches 4 (or whatever you prefer), don't let the user attempt to log in for 5 minutes (again, your preference) from LastLoginAttemptedOn. Don't update this column until they are actually allowed to attempt it to prevent the 4-minutes-later attempt to reset the timer. Reset FailedLoginAttempts to 0 when the timer resets so they have several more retries.