Your company's security policy mandates the implementation of measures to defend against password-guessing attacks on user accounts. As part of strengthening the defense, which of the following would most effectively mitigate the risk of a dictionary attack?
Enforce a minimum password length of eight characters
Enforce an account lockout policy after three unsuccessful login attempts
Disable user accounts outside of business hours
Require passwords to be changed every 30 days