Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I prevent brute-force attacks?

I'm working on authentication and adding brute-force protection. I'm not sure how I should proceed.

Should I just do a flat block after 15 failed attempts for a certain IP address... or should I tie it to username? Should there be both a captcha threshold and a absolute cutoff?

Are there other patterns I should be following?

like image 233
Earlz Avatar asked Nov 18 '11 18:11

Earlz


People also ask

How might brute force attacks be prevented?

Brute force attacks are entirely preventable. You can keep brute force attacks at bay and drastically improve your data security by having a strong password policy, limiting login attempts, enabling two-factor authentication, using CAPTCHAs, and blocking malicious IP addresses.

What is a defense against brute force password attacks?

The best defense against password attacks is ensuring that your passwords are as strong as they can be. Brute force attacks rely on time to crack your password. So, your goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile…

Can a firewall stop a brute force attack?

Brute force attack prevention. If there's a user login for your website, it can be targeted by brute force password attacks. Bad actors use automated programs to try thousands of login combinations to get in. Our Web Application Firewall (WAF) stops unauthorized brute force login attempts before they happen.

Which of the following is used to prevent a brute force attack on user passwords?

Employ 2-Factor Authentication (2FA) Two-factor authentication is considered by many to be the first line of defense against brute force attacks. Implementing such a solution greatly reduces the risk of a potential data breach.


1 Answers

If someone is really trying a brute force, he may have a range of IPs to work with. What you could do is put an ever increasing delay after each try, and making it username specific. CAPTCHAs can be beaten (to varying degrees) so put a captcha treshold, a 'slow things down' threshold and then just block it for an hour.

Note that brute forcing this manner is incredibly stupid so I'd be more worried about the attacker getting a copy of the passwords from the database through an injection or whatever.

like image 96
Haedrian Avatar answered Sep 20 '22 12:09

Haedrian