Brute force attacks: how to protect yourself?

Lees in het Nederlands - Lisez en français

Hackers do not only use known vulnerabilities and bugs in software, operating systems or content management systems to access your data or penetrate your website. Another method they use quite often is brute force. But what exactly is it? And how can you avoid falling victim to it?

Brute force targets the weakest link: you!

Briefly, a brute force attack is an attack in which automatic software checks login names and passwords until the correct combination is found to access your data or website.

Since many people choose existing words as their passwords, which they then slightly change, such cracking software often use words from the dictionary (dictionary attacks).

However, believe it or not, combinations such as “admin” as login and “12345” as password are also checked, as some people simply do not seem to care much about the most basic security rules!

Time is all crackers need...

Then again, long and complicated passwords can also be guessed, as long as the cracking software has enough time to do its work. Computers are getting faster by the day, which makes it increasingly easier to find the correct combination.

When a hacker can download your data, he also has all the time inBrute force the world to let the software do its work to crack the encryption. Fortunately, for data that are online, there are a few means of defence. Below, you will find a few useful tips.

Repelling brute force attacks is not only necessary to prevent hackers from accessing your data, but also not to compromise the performance of your site. Such an attack can indeed cause excessive usage of your server’s memory, since the number of HTTP requests (i.e. the number of times that someone – or in this case the program – visits your site) increases quite considerably. As a result, the server runs out of memory, which causes performance problems.

7 tips to prevent brute force attacks

  • Always use a strong password

A strong password is at least 8 characters long and contains letters (uppercase and lowercase), numbers and symbols:

` ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /

Make sure your users use strong passwords too. Since version 4.3 of e.g. WordPress, users are very clearly warned when their password is too weak.

  • Limit the number of login attempts to e.g. 3 before locking out the account

The user will then have to contact the admin to unlock the account. The disadvantage of this method is that some ‘funny man’ can use it to lock out several accounts, which would mean extra work for the system administrator. Alternatively, you can lock out only a part of the account. You can e.g. limit the number of available features in case of a failed login attempt.

  • Use progressive delays

After every failed login attempt, the user will have to wait increasingly longer before the next login attempt is allowed.

  • Let users attest they are not robots

Use a reCAPTCHA that requires users to enter a word or solve a simple puzzle. The drawback is that it negatively affects user experience.

  • Ask the secret question after two or more failed login attempts

Not only will this prevent automated attacks, but it will also prevent hackers from penetrating your system when they manage to guess your user name and password.

  • Allow or refuse access based on IP addresses

Allow e.g. users to log in from one or multiple IP addresses when you collaborate with permanent staff within a certain network. However, do not forget that IP addresses can change, and that hackers can mask their IP address.

  • Give a different login URL to certain groups

This way, you will spread the risks. In addition, make sure you avoid using /my-admin or /admin as your login URL!

Watch out for suspicious incidents!

Keep an eye on your server logs. Each failed login attempt will record an HTTP 401 status code in your web server logs. The following events should tip you off:

  • Multiple login attempts from the same IP address
  • Logins with different usernames from the same IP address
  • Logins for a single account coming from many different IP addresses
  • Excessive bandwidth consumption from a single user
  • Failed login attempts from usernames or passwords listed alphabetically

Do you want to know more? The Infosec Institute and Wikipedia provide you with a list of the most commonly used tools to prevent brute force attacks. Open Web Application Security Project also has a Tester to check if your website is vulnerable and includes code to block brute force attacks such as Password Authentication Delay with and C#. If you use WordPress, the WordPress Codex provides good tips to stop brute force attacks.

In the battle against brute force attacks, the most important thing is to buy time, and give the hacker a hard time!