Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I prevent brute-force attacks?

Tags:

security

authentication

brute-force

I'm working on authentication and adding brute-force protection. I'm not sure how I should proceed.

Should I just do a flat block after 15 failed attempts for a certain IP address... or should I tie it to username? Should there be both a captcha threshold and a absolute cutoff?

Are there other patterns I should be following?

like image 233
Earlz Avatar asked Nov 18 '11 18:11

Earlz

People also ask

How might brute force attacks be prevented?

Brute force attacks are entirely preventable. You can keep brute force attacks at bay and drastically improve your data security by having a strong password policy, limiting login attempts, enabling two-factor authentication, using CAPTCHAs, and blocking malicious IP addresses.

What is a defense against brute force password attacks?

The best defense against password attacks is ensuring that your passwords are as strong as they can be. Brute force attacks rely on time to crack your password. So, your goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile…

Can a firewall stop a brute force attack?

Brute force attack prevention. If there's a user login for your website, it can be targeted by brute force password attacks. Bad actors use automated programs to try thousands of login combinations to get in. Our Web Application Firewall (WAF) stops unauthorized brute force login attempts before they happen.

Which of the following is used to prevent a brute force attack on user passwords?

Employ 2-Factor Authentication (2FA) Two-factor authentication is considered by many to be the first line of defense against brute force attacks. Implementing such a solution greatly reduces the risk of a potential data breach.

1 Answers

If someone is really trying a brute force, he may have a range of IPs to work with. What you could do is put an ever increasing delay after each try, and making it username specific. CAPTCHAs can be beaten (to varying degrees) so put a captcha treshold, a 'slow things down' threshold and then just block it for an hour.

Note that brute forcing this manner is incredibly stupid so I'd be more worried about the attacker getting a copy of the passwords from the database through an injection or whatever.

like image 96
Haedrian Avatar answered Sep 20 '22 12:09

Haedrian
Sign in to Comment

Related questions

Change Browser settings by script
Asp.net: Replace GenericPrincipal
Library/Function to tell the user how secure their password is?
How to get jetty to send jsessionid-cookies with the secure-flag when using a secure channel
How can I go about securely executing a subset of python?
Java EE Security - Which method to use?
License scheme, spoof-safe and revoke capabilities
How to fix the WCF maxClockSkew problem in a HTTPS Silverlight application context?
Why does new Facebook Javascript SDK not violate the "same origin policy"?
Public key cryptography with user-chosen passwords?
How To Ensure Uploaded File Contents Cannot Be Recovered After Use?
CouchDB - Figuring out database security
Security: How to validate image file uploads?
Best way to access a remote database: via webservice or direct DB-access?
Removing content from database, security precautions
Keeping user passwords safe in Java?
RegistrySecurity Access is denied. C#
How do I add an EncodingType attribute to the Nonce element of a UsernameToken in WSE 3.0 (.NET)
Could anyone tell me why / how this XSS vector works in the browser?
How to prevent override the setting using .htaccess or custom php.ini

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!