Should I lock a user account based on X amount of failed login attempts over Y amount of time? Should X be 3 attempts and Y be 24 hours? Or should it be a higher number over all time?

Once locked should the user have to request an unlock email with a link? What's the best approach?