Account lockouts are an effective mitigation strategy against brute force attacks because they prevent unlimited, rapid guessing of passwords by locking the account after a certain number of failed login attempts. This drastically reduces the attacker's ability to systematically try all possible password combinations, thus safeguarding against brute force attacks. While all other options can enhance security, they do not specifically address the prevention of brute force attacks on passwords as directly as account lockouts do. Strong password policies make it more difficult for brute force attacks to succeed but do not stop attempts. Monitoring for unauthorized access can detect an ongoing attack but may not prevent it. Disabling unused accounts helps reduce the attack surface but does not directly prevent a brute force attack on active accounts.