That's unrealistic and not really necessary, besides even complex passwords can be guessed given sufficient time and computing power. There are other things you could do, like tarpitting (i.e. slowing down responses to the requesting host, consuming their resources), staggered-period lockouts, captchas after several unsuccessful attempts or other random things that only a human could handle. Everything else gets blocked or black-holed...