Among the countermeasures for brute force attacks such as Two-Factor Authentication (2FA), salting, login throttling, key stretching, or Complex password. Which would be the most effective against brute force attacks?
Using multi-factor authentication, long and complex passwords, strong encryption algorithms with long key, and so on are some of the techniques we employ to protect ourselves from Brute Force attacks. We have to apply all the techniques mentioned in the question in defense-in-depth approach. There is no single cure for brute force attack, rather we got to use a couple of mechanisms instead of relying on a single approach. I would recommend salting, for example, to increase the randomness of our password and make it unguessable. All in all, the issue should be addressed by layered defense mechanisms instead of relying on single protection.
Two-Factor Authentication (2FA) requires having an additional login credential to password. Which is something you know (your password) plus something you have such as tokens.
Key stretching makes a password more secure against a brute-force attack by increasing the time and effort to break the password.
Login throttling denies a user from attempting logins after a certain number of failed attempts.
Salting is the addition of random characters to passwords before hashing, it does not protect against brute force attacks.
Therefore, two-factor authentication (2FA), Key stretching, and limited login (login throttling) are good countermeasures for brute force attacks. Complex passwords can help, but will finally be broken.