Preventing Brute-Force Attack

A brute-force attack is one of the most interesting and effective types of attacks. These attacks can be used against any type of encryption, with varying degrees of success It’s an attack that is still in use in the wild to compromise SSH servers, web apps and it’s becoming faster and more effective with each passing day.

It is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover one correct combination that works.It’s as easy as setting few parameters about your target and go back to sleep only to wake up in the morning with plain passwords spelt out boldly on your computer screen.

Pheeemh Your target pwned with little effort :)!
Ahooo!

In a recent study, Deloitte reported that over 90 percent of passwords created by individual users are vulnerable to brute force attack in a matter of seconds. The researcher determined that a dictionary of 10,000 most common passwords would match 98 percent of all secured accounts.

Why account lockout is not a perfect solution?

This is often the most used and obvious way to block brute-force attack. It simply locks out accounts after a defined number of incorrect password attempts. The problems with account lockouts are:-

• It can lead to denial of service (DoS) by locking out large numbers of accounts
• Account lockout is ineffective against slow attacks that try only a few passwords every hour.
• If attackers attack administrators account and are successfully locked out then a problem emerges.
• Is less effective when a combo password list is used against many usernames
• Even once you lock out an account, the attack may continue, consuming valuable human and computer resources.

How to prevent brute force attack on web apps

The solution lies in the hands of developers. Here are what you need to do to prevent brute force attack.

Incremental delay/Request throttling

An incremental delay is used to cause an exponentially increasing delay between failed login attempts, for example, after the first failed login attempt there is a 1-second delay, after the second there is a 2-second delay, then 4, 8, 16, 32 and so on. This simple defence can reduce the number of guessed login attempts possible by a hacker from thousands per minute down to only a few before the delay becomes so long as to make it a pointless exercise after 20 failed login attempts the delay is 6 days!

Use a CAPTCHA

This is the method most technology giants employed (Facebook, google) to fight brute-force attack on their authentication page. Gmail can not tell that continuous request is coming from a legitimate user or from an automated system.

Give users option to allow login from a certain IP address

Helpful repositories to get you up and running for your next project

1. Stefanprodan wrote a nice filter for MVC/WebApi ASP.NET on GitHub. It’s easy to use.

• https://github.com/stefanprodan/MvcThrottle.

1. Laravel default authentication as from version 5.0 and above has a feature that throttles requests by default
2. Codeigniter users, Ion-Auth by Ben Edmunds has this feature built in.

• https://github.com/benedmunds/CodeIgniter-Ion-Auth

1. For Django framework users, these repositories will help greatly.

• https://github.com/naremit/NaremitBruteforce
• https://github.com/kencochrane/django-defender