John is concerned about someone using a password cracker on computers in his company. He is concerned that crackers will attempt common passwords in order to log in to a system. Which of the following would be BEST for mitigating this threat?

Accounts should lock out after a small number of login attempts. Three is a common number of attempts before the account is locked out. This prevents someone from just attempting random guesses. Password aging will force users to change their passwords but won’t affect password guessing. Longer passwords would be harder to guess, but this option is not as effective as account lockout policies. Account usage auditing won’t have any effect on this issue.