How to Prevent Brute Force Attacks

By John Gates

March 5th, 2024

What is a Brute Force Attack?

A brute-force attack is a trial-and-error method hackers use to guess login information, and encryption keys, or find hidden web pages.

In a brute force attack, an attacker tries as many combinations as possible, systematically incrementing through all possibilities until the correct password is discovered. This can be done manually, but it is usually automated using specialized software tools designed for this purpose.

An increased reliance on information technology has led to a significant rise in cyberattacks, particularly brute force and password guessing attacks from 2021 to 2023.

(Reference: ESET Threat Report H1 2023)

Types of Brute Force Attacks

There are several types of brute force attacks that attackers can use to attempt to gain unauthorized access to systems or data. These different types of brute force attacks can be used individually or in combination, depending on the specific scenario and the attacker’s resources and goals:

Simple Brute Force Attack: This represents the simplest form of brute force attack. The attacker systematically tries all character combinations for a password or encryption key. Effective against short or weak passwords but impractical for longer, complex ones.

Rainbow Table Attack: The attacker creates and stores a “rainbow table” of password hashes for common passwords. This enables them to swiftly find the plaintext password for any hash in the table, bypassing the need to brute force each hash separately.

Mask Attack: a mask attack targets passwords matching a specific pattern, enabling users to bypass unnecessary character combinations and shorten brute-force password recovery time. This can be more efficient than a simple brute force attack when certain password patterns are known or suspected.

Dictionary Attack: Attackers opt for pre-made lists of common passwords, words, phrases, and character combinations instead of exhaustive attempts. These “dictionaries” may comprise leaked password databases, popular keyboard patterns, or variations of common words.

Reverse Brute Force Attack (Credential Stuffing):This tactic shifts focus. Instead of aiming at a single account with diverse passwords, attackers utilize known leaked passwords from breaches and test them against numerous usernames or email addresses. This exploits instances of password reuse across different platforms.

Password Spraying: Similar to credential stuffing, employs a restricted range of common passwords, often leaked ones, across a wide array of usernames or email addresses. The attacker targets accounts where users have reused weak passwords, aiming to gain unauthorized access.

Keystroke Logging (keylogging): Is the process of capturing (logging) keystrokes on a keyboard, often done discreetly, without the user’s knowledge of being monitored.

Top 5 Tips for a Secure Password

There are several techniques that can be employed to reduce the risk and impact of brute force attacks against login systems. Let’s discuss the 9 ways on how to avoid brute force attacks.

How to avoid brute force attacks:

1. Strong Password Policies: Enforce strong password policies that require long passwords (at least 12-14 characters) with a combination of uppercase, lowercase, numbers, and special characters. Longer and more complex passwords increase the number of possible combinations an attacker must try, making brute force attacks much more difficult.
1. Account Lockout: Implement account lockout policies that temporarily lock an account after a certain number of failed login attempts (e.g., 3-4 attempts) for a specified duration. This prevents an attacker from continuing to guess passwords indefinitely.
1. CAPTCHA or Other Challenge-Response Tests: Integrate CAPTCHA or other challenge-response tests into the login process, which requires the user to prove they are human and not an automated bot. This can slow down brute force attacks significantly.
1. Multi-Factor Authentication (MFA): Implement multi-factor authentication, which requires an additional factor (e.g., a one-time code sent to a user’s phone) in addition to the password. This additional layer of security makes it much harder for an attacker to gain access, even with a valid password.
1. IP Address Monitoring and Blocking: Monitor and block IP addresses that have multiple failed login attempts from the same source. This can prevent an attacker from continuing their brute force attack from the same IP address.
1. Delayed Responses: Introduce deliberate delays (e.g., a few seconds) between failed login attempts. This can significantly slow down the rate at which an attacker can try different password combinations.
1. Honey Traps or Deceptive Responses: Set up honey traps or deceptive responses that lead an attacker to believe their login attempts are successful, while in reality, they are being monitored and blocked.
1. Password Salting and Hashing: Store passwords using salting and secure hashing algorithms instead of plain text. This prevents an attacker from easily comparing hashed passwords against pre-computed lists of common password hashes.
1. Monitoring and Logging: Implement robust logging and monitoring systems to detect and alert on potential brute force attack patterns, allowing for timely response and mitigation.

Windows Password Guidelines: Updated Best Practices for 2024

Why Server Hardening Should be Top Priority

While techniques like strong passwords and honeytraps can hinder brute force attacks, server hardening offers the most comprehensive defense. Server hardening addresses the root cause of the vulnerability rather than relying solely on techniques that mitigate the attack’s impact.

By hardening the system’s authentication mechanisms, it becomes significantly more difficult for attackers to gain unauthorized access through brute force methods. While the techniques mentioned above can reduce the effectiveness of brute force attacks, they are temporary solutions in the short term that do not eliminate the underlying weaknesses in the system’s security posture. Hardening, on the other hand, directly strengthens the system’s defenses, making it much more resilient against brute force attacks and other types of unauthorized access attempts.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

How to Prevent Brute Force Attacks

What is a Brute Force Attack?

Types of Brute Force Attacks

How to avoid brute force attacks:

Why Server Hardening Should be Top Priority

Subscribe to Email Updates

You might be interested

Experience a personalized demo

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 8 months 26 days 14 hours	No description
drift_campaign_refresh	30 minutes	No description
fpestid	1 year	No description
st_samesite	session	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

How to Prevent Brute Force Attacks

What is a Brute Force Attack?

Types of Brute Force Attacks

9 Techniques to Reduce Login Brute Force Attacks

How to avoid brute force attacks:

Why Server Hardening Should be Top Priority

Subscribe to Email Updates

You might be interested

Experience a personalized demo