The "Good Practices" would be:
- Design usernames which are not predictable or guessable.
- Strong password policy.
- Disable user account after n failed login attempts which are successive.
- You could also consider locking out account for a specified amount of time. For e.g. 30 mins.
- Display generic error messages to user on failed login attempt. E.g. "Authentication Failed - Invalid Username / Invalid Password / Account Locked
- No automatic account lockouts for admin accounts
- Implement CAPTCHA's to prevent bots or automated username/password guessing.