Applications implement various methods to thwart password-guessing attacks. These methods include:
1. Account Lockout: This method involves locking the account after a certain number of failed login attempts. The account remains locked for a specified period, or until an administrator manually unlocks it. This method discourages multiple incorrect password attempts by blocking access completely.
2. Progressive Delays: With this method, users are required to wait for a certain period after a failed login attempt before making another attempt. The delay period gets progressively longer with each subsequent failed attempt. This discourages password-guessing attempts by making them time-consuming.
3. CAPTCHA: CAPTCHA tests are designed to tell humans and computer programs apart. They're often used after a number of failed login attempts. Since CAPTCHA tests typically require a human to decipher and input complex data, this method is effective at deterring automated password-guessing attempts.
4. Multi-factor Authentication (MFA): This method requires users to provide more than one evidence of their identity when logging in, such as a password and a mobile phone to receive an SMS with a code. If an attacker guesses the password, they would still need the second piece of information to gain access, making the attack much more difficult.
5. Monitoring and Alerts: Monitoring software can detect unusual login behaviors, such as numerous failed login attempts from the same IP address. The software would then alert the proper authorities or trigger additional security measures.
Note that these are general security measures and applications may implement them differently, or choose to use alternative measures, depending on the specific security needs.