There must be a mechanism to limit to the number of repeated unsuccessful attempts to log into an application or server that deals with confidential information.
Lock accounts (for either a specific amount of time or indefinitely) after some number of unsuccessful password attempts (for example, 10). These can either be consecutive or in a certain time period. NOTE that as users have more mobile devices that pull data like email from servers, this can cause problems immediately after password resets where accounts are locked.
Add a delay between authentication attempts after a certain number of unsuccessful attempts.