What recommendation is most likely to prevent future brute-force attacks on service accounts?

To effectively prevent future brute-force attacks on service accounts, implementing account lockout mechanisms is a highly effective strategy. When account lockout is enabled, the system temporarily disables an account after a specified number of failed login attempts. This can deter attackers who are attempting to gain unauthorized access by guessing passwords repeatedly, as their efforts will result in the account becoming temporarily unusable after reaching the threshold of failed attempts.

While increasing password length, daily password changes, and two-factor authentication are all valuable security measures, they do not directly mitigate the immediate risk posed by brute-force attacks as effectively as account lockout does. Longer passwords offer complexity that can make them harder to crack, and two-factor authentication adds an additional layer of verification that increases security, but these measures might not prevent the initial attack attempts. Additionally, requiring daily password changes could lead to users adopting less secure password practices, thereby increasing vulnerability.

Thus, the account lockout approach is a direct response to the tactics employed in brute-force attacks, providing a more immediate and preventative measure against repetitive unauthorized access attempts.