A brute-force attack is a common threat faced by web developers where an attacker attempts to crack a password by systematically trying every possible combination of letters, numbers, and symbols until finding a combination that works. Using automated software, hackers try millions of passwords per day. Depending on the length and complexity of the password, there could be trillions of combinations, so a dictionary attack (a hybrid brute-force attack using words from the dictionary) can be incorporated to speed things up dramatically.
A dictionary attack is very effective because most people use common words for their passwords, so it’s best to work through these first before trying a completely random password. Since people tend to use common passwords using words rather than completely random passwords using letters, numbers, and special characters, a dictionary attack uses wordlists and statistics to narrow down passwords. The most common password of 2014 was 123456, so brute-force software would try this first.
A brute-force attack is easy to detect but not easy to prevent. Attackers can avoid detection by relaying requests through a list of different proxy servers. Each request comes from a different IP, so you cannot block it by IP address. Some tools even try a different username and password on each attempt so that an account could not be locked out for failed password attempts.
Locking Accounts
You can force the lockout of an account after so many incorrect password attempts. A login can be locked out for a specific duration. For example, after three failed login attempts you could lock out the account for an hour or until it gets unlocked by an administrator. An attacker could use this against you through a DoS attack by locking out your user accounts. Some websites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking accounts. Account lockout is ineffective against slow attacks that only try a few passwords every hour or attacks that try one password against multiple user accounts. Account lockout can be very ineffective unless in a controlled environment, but it is used where an account compromise would be far worse than a constant DoS attack.
Cookies
Device cookies have been used for some time as an additional authenticator for user devices. The idea is to issue a special “device” cookie to every client (browser) when it is used to successfully authenticate a user in a system. The device cookie can be used to:
- Distinguish between known/trusted and unknown/untrusted clients
- Establish universal temporary lockouts for all untrusted clients
- Lock out trusted clients individually
Random Login Pauses
A login pause can be effective against a brute-force attack while having little noticeable impact on your user’s login process. Since brute-force attacks are dependent upon the time it takes to crack a password, injecting random pauses when checking a password can greatly slow down an attack.
Avoid Predictable Behavior
If you design your website not to use predictable behavior for failed passwords, you can confuse and discourage attackers. Most websites display a “HTTP 404 error” with a password failure message. Some websites use a “HTTP 200 SUCCESS” code but direct the user to a page explaining the failed password attempt. There are tools available that can fool some automated brute-force systems, but those can be easy to circumvent. You should vary the behavior enough that it discourages the attackers from continuing. You can use different error messages each time or direct the attacker through to a page only to prompt for the password again. You might also require a secret question be answered after two failed login attempts.
Use Two-Factor Authentication
Two-Factor Authentication (also known as 2FA or 2-Step Verification) provides user authentication using a combination of two different components. These might be something a user knows, something that the user possesses, or something that is inseparable from the user. A great example of two-factor authentication is the debit card you use almost daily. The bank card is required along with the PIN in order to withdraw money from an ATM machine.
Use CAPTCHA
CAPTCHA is a program that allows you to distinguish between humans and computers. 
CAPTCHAs are very effective in stopping any kind of automated abuse, including brute-force attacks. After entering a username and password, the user is presented with a task that is easy for a human to complete but difficult for computers. Some CAPTCHAs are as simple as checking a box, others ask you to solve simple math problems, while others ask you to identify items in a photo like a house number. I’ve even seen ones that ask you to select two photos from eight that both contain a similar object.
You Have a Partner in WatchPoint
It is quite difficult to stop a brute-force attack, but they are very easy to detect. Using a combination of the methods described above will give you a fighting chance when your server comes under a brute-force attack. The best method of protection is to partner with WatchPoint and allow our forensic experts to monitor your network 24/7 for suspicious behavior using state of the art software like Carbon Black. We will identify a brute-force attack immediately and work with you to resolve the issue before you even know the issue exists.
With WatchPoint's Security Solution you will:
Know someone is securing your business.
Have true visibility into your digital assets.
Have a support staff dedicated to safeguarding your network.
