I have my login page and of course I want to prevent brute force attacks and cause less delay for the users when they are logging in.
Currently, you type in your username and password to log in.
I am considering implementing a reCAPTCHA. However, this shows on login after 3 failed attempts.
My question is:
What do you base the attempt on. IP addresses? It can always be hidden... username? What if they're trying a user that doesn't exist?
What would be the best method to count the failed login attempts?