Do Protect Your Data from Brute-Force Attacks

Do Protect Your Data from Brute-Force Attacks

Details:

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack. It is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities.

Root cause:

Brute force attack is mainly due to weak password policy implementation. Below are the factors which make it easier to brute force the password:

1.     Allowing noncomplex passwords like only numbers/ characters 


2.     No restriction on minimum password length 


3.     Use of dictionary words in password. 


4.     Use of common or default usernames like Admin, Administrator, 
Guest, Root, User, etc. and passwords like Password@123, 
admin@123. 


5.     Allowing reuse of password. 


6.    Not defining password expiration. 


Probable Recommendations:

Following are the recommendations to avoid brute force attack:

1.     Provide generic error message on response of each unsuccessful attempt.

2.     Provide account lockout on certain number of unsuccessful attacks.

3.     Log the IP of the client from which the traffic is coming in. Block the IP if data of more than 2-3 user ids is coming from the same machine.

4.     Verify the IP of the client machine along with the User ID and password.

5.     Use CAPTCHAs to avoid attack from automated tools on user registration or login forms.

Also Refer:
https://www.linkedin.com/pulse/do-protect-your-data-from-brute-force-attacks-pradeep-m-s-?published=t