Preventing Brute Force Attacks

Brute Force attacks, though generally not effective given a secure enough password, are still always a concern in a variety of applications because they always have at least potential to be effective. If an attacker is capable of guessing every possible password combination (perhaps they have significant dedicated hardware), one of those guesses will be right and they will gain access to the system/user/device etc.

That said, there are ways that dramatically reduce the effectiveness of a brute-force attack, and more often than not render them absolutely ineffective against protected systems.

One common method to prevent brute force attacks are called Captchas. These are an additional question-response that a log in attempt must statisfy in order to send the login request at all. Usually, captchas are images that ask the user to fill in what the text in an image is - a task that is easy for a human to perform, but much more difficult for an automated computer to solve. Because of this, putting up a captcha wall prevents attackers from using automated scripts to try different password combinations - and doing a brute force by hand would take a very, very long time.

Another common method is a login attempt timeout, whereby after a certain amount of invalid login attempts (such as entering the wrong password) the server refuses to accept any more login attempts from that IP address for a set amount of time (or another common practice is to throw up a captcha wall after several invalid attempts). Attempting to brute force a login with this set up would not get past a few tries before being brought to a grinding halt.

These days most systems implement a variety of systems to prevent brute force attacks from ever being a problem - and they are so easy to implement it's rare to see places without them. Does this mean brute force attacks are no longer something to worry about? Not exactly - as security ramps up so do the attack methods, and brute forces now utilize even more well devised systems. Multiple IP addresses (often from botnets), automated Captcha solvers, and dictionary-based attacks are all becoming more and more commonplace and more threatening to web services.




Support Organizations