Was thinking about hackers in general, this whole bit of trying various obvious passwords, and it occurred to me that one of the things we might do is make the usual first steps in password hacking lead into a virtual pit of misery...

If certain obvious things were entered — your birthday, your pet's name, your kid's birthday, "password", "admin", etc. then all input from the source IP(s) could be locked out for a (long) period of time. That makes it pretty hard to continue trying passwords, obvious or otherwise.

Or, one could automatically blacklist said IP(s), for that matter. After all, what legitimate business would anyone have entering that kind of garbage into your well-secured website? Do you need their "patronage"? I don't think you do. I know I don't.

Another fun thing to do would be place an obvious "Administrator Log-in" link and service page on your website. Anyone enters a password on it — of any kind — and you blacklist them instantly. Would need noindex, nofollow set on such a page, plus dire warnings such as "Do NOT submit password using this page unless you are a legitimate system administrator", and of course you'd have to white list the black hats at Google, as they don't pay proper attention to noindex OR nofollow OR the robots.txt file for that matter.