I like the idea of asking for a captcha after 2 failed logins. We had set up a pretty restrictive Cloudflare rule which blocked access to the site for some amount of time (60 minutes?) from IP addresses that got more than 5 (IIRC) failed logins within a short, sliding window of time (2 minutes?). But the botnet had a ton of machines on it. The rule didn't block nearly as many requests as I hoped it would. A captcha, though, could be set to be pretty restrictive like you suggest.
Passwords: I actually did up the password requirements (to require 10 characters), but the CEO wants me to pull back to just 8 characters. And no special characters. Our conversion rate went down a tiny bit, could be the restrictive password requirements that did it.
Keeping a record of common IP addresses and enforcing something like 2FA for strange logins: Love that idea. Would love to implement it. Can't, though. The CEO won't go for it, says 2FA lowers conversion and he's probably right about that.
Passwords: I actually did up the password requirements (to require 10 characters), but the CEO wants me to pull back to just 8 characters. And no special characters. Our conversion rate went down a tiny bit, could be the restrictive password requirements that did it.
Keeping a record of common IP addresses and enforcing something like 2FA for strange logins: Love that idea. Would love to implement it. Can't, though. The CEO won't go for it, says 2FA lowers conversion and he's probably right about that.