It is a basic premise in security, prevent rather than react. This was reinforced again recently with the difficulties encountered by Twitter (Infoweek: Twitter Hack Made Possible By Weak Password ). Twitter is a popular, award winning service, that has been around since 2006. It has raised over $22 million but failed to address very basic security vulnerabilities.
"According to a report filed by Kim Zetter of Wired News, an 18-year-old hacker calling himself GMZ gained access to the account of a Twitter employee on Monday using a dictionary attack program that he created. Because the Twitter employee's account had access to administrative tools, GMZ was able to access any Twitter member's account by resetting the password."
Several rookie mistakes here. First, having your administrator use the same web application that users use to manage their accounts. The administrator systems should have been a separate server and application. Second, it is sloppy password management to allow a common word as your password. Finally, and most importantly, allowing unlimited login attempts. This is the core issue that allowed the hacker as many chances as they needed to attack the login system. Who doesn’t use a lockout feature to limit the number of login attempts in 2009?