1 Chances are that you have a password to something , and that password is probably also stored somewhere.
2 Email the user a link to 'unlock' their account after a large number of failed attempts.
3 The salt that is used, will end up being returned within the hashed password - so no need to separately store the salt.