A dictionary attack is very effective because most people use common words for their passwords, so it’s best to work through these first before trying a completely random password. Since people tend to use common passwords using words rather than completely random passwords using letters, numbers, and special characters, a dictionary attack uses wordlists and statistics to narrow down passwords. The most common password of 2014 was 123456, so brute-force software would try this first.
A brute-force attack is easy to detect but not easy to prevent. Attackers can avoid detection by relaying requests through a list of different proxy servers. Each request comes from a different IP, so you cannot block it by IP address. Some tools even try a different username and password on each attempt so that an account could not be locked out for failed password attempts.
Locking Accounts
You can force the lockout of an account after so many incorrect password attempts. A login can be locked out for a specific duration. For example, after three failed login attempts you could lock out the account for an hour or until it gets unlocked by an administrator. An attacker could use this against you through a DoS attack by locking out your user accounts. Some websites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking accounts. Account lockout is ineffective against slow attacks that only try a few passwords every hour or attacks that try one password against multiple user accounts. Account lockout can be very ineffective unless in a controlled environment, but it is used where an account compromise would be far worse than a constant DoS attack.
Cookies
Device cookies have been used for some time as an additional authenticator for user devices. The idea is to issue a special “device” cookie to every client (browser) when it is used to successfully authenticate a user in a system. The device cookie can be used to:
Random Login Pauses
Avoid Predictable Behavior
If you design your website not to use predictable behavior for failed passwords, you can confuse and discourage attackers. Most websites display a “HTTP 404 error” with a password failure message. Some websites use a “HTTP 200 SUCCESS” code but direct the user to a page explaining the failed password attempt. There are tools available that can fool some automated brute-force systems, but those can be easy to circumvent. You should vary the behavior enough that it discourages the attackers from continuing. You can use different error messages each time or direct the attacker through to a page only to prompt for the password again. You might also require a secret question be answered after two failed login attempts.
Use Two-Factor Authentication
Two-Factor Authentication (also known as 2FA or 2-Step Verification) provides user authentication using a combination of two different components. These might be something a user knows, something that the user possesses, or something that is inseparable from the user. A great example of two-factor authentication is the debit card you use almost daily. The bank card is required along with the PIN in order to withdraw money from an ATM machine.
Use CAPTCHA
CAPTCHA is a program that allows you to distinguish between humans and computers.
You Have a Partner in WatchPoint
It is quite difficult to stop a brute-force attack, but they are very easy to detect. Using a combination of the methods described above will give you a fighting chance when your server comes under a brute-force attack. The best method of protection is to partner with WatchPoint and allow our forensic experts to monitor your network 24/7 for suspicious behavior using state of the art software like Carbon Black. We will identify a brute-force attack immediately and work with you to resolve the issue before you even know the issue exists.
With WatchPoint's Security Solution you will: