A brute force login attack is a very common botnet attack used against web applications. The goal of a brute force login attack is to gain access into a user or several user accounts by repeatedly trying to login with various username and password combinations. The hacker is essentially trying to guess the user’s credentials over and over until access is granted. We are talking thousands of attempts per second.
Alternate Names and Examples:
Brute-force attacks against sign-in
Brute forcing log-in credentials
Brute-force password cracking
Cracking login credentials
Credential cracking
Password brute-forcing
Password cracking
Reverse brute force attack
Username cracking
Username enumeration
Potential Symptoms:
• Large amount of failed login attempts
• Large amount of requests containing variations on account name and/or password
• An increase in account lockout rate
• Higher number of customer complaints about account hijacking
A few ways these attacks are accomplished
If the hacker knows the length of the password, then they can try every combination of letters, numbers and symbols until they get a match. This method takes a very long time, especially with longer passwords, which is why it’s very important to use lengthy passwords for your accounts.
Another method is called a Dictionary Attack. The hacker can try a huge list of all English words, for example, with combinations of numbers and symbols at the end.
There is also the method of trying the same password on many different accounts. These attacks tend to be the most successful. However, they are not attempted that often because it’s harder for the attacker to acquire a big list of usernames to use in the attack.
Ways to prevent brute force attacks
Account Lockout Policy
This is where you set a threshold of failed attempts at logging into an account. So as an example, after 3 failed attempts, the account will be locked until the admin unlocks it. The main problem with this method is that many accounts can easily be locked out which causes service problems for users and a lot of work for the administrator.
Progressive Delays
This method is a little more difficult. This is similar to an account lockout policy, but the user accounts are only locked out for a specific period of time. Each additional failed login attempt will lengthen the time of lockout. This will really put a stop to automated tools attempting this type of attack.
Challenge Response Test
This method involves requiring the user to answer a question or solve a puzzle at the login page. The common form of this is called a reCaptcha and is usually an image with numbers or letters that the user has to type into a box. If the user entry matches the reCaptcha, then the login is granted. The main issue with this approach is poor user experience as it’s often annoying for the user.