Brute force attack is a simple but effective way commonly used by hackers to break into websites. In an attack, there are usually thousands or even millions of requests sent out targeting the login page of a website to obtain the right login information by trying numerous combinations of possible usernames and passwords.
By performing brute force attacks, attackers can always get access to the target websites especially those with weak login security. What’s worse, this kind of attacks are becoming more and more intelligent that they do not try completely random usernames and passwords, but instead they could use dictionary words that many people use.
When your website is under attack, it can encounter serious performance problems due to the excessive traffic and memory usage. Brute force attacks are quite easy to detect, but they are hard to prevent and mitigate.
It is discouraging to realize this, but you should know there are still some things you can do to defend your website against such attacks, for example, limiting the login attempts and using a CDN service.
In below, we will discuss some effective and commonly used ways for your website to prevent and survive brute force attacks.
Strengthen Username and Password
Never use the default admin username like “admin” and easily predictable passwords like “1234567”. The simple information could put your website in danger because it may take only several seconds for a hacker to guess your complete login information.
Remember to use a complex username, and make sure that your password is long enough, has a mixture of letters, numbers and special characters, and does not include a complete word or any real name (including your own name, company name and website name). If multiple users work for your website, enforce all of them to use strong passwords.
Lock out Accounts
Adding an account lockout is an option that prevents automated scripts from testing other possible passwords for certain accounts. By performing this feature, users who fail the login for certain times are completely locked out and can only go valid when an administrator unlocks them.
This way is efficient sometimes, especially when the attacks are too serious, but it is not among the most appropriate methods because it may fail in many cases.
Use Vague Error Messages
Sometimes, the error messages may help attackers find the valid usernames and passwords. Supposed that an error message says “invalid username” or “wrong password”, the attacker will rule out many possible login combinations quickly without trying endlessly. Therefore, you should use a consistent error message that only reminds the user that there is something wrong with the login information. No any further information is included.
Inject Pauses in Password Checking
Enforcing pauses between the attempts of trying different passwords for the same username can slow down brute force attacks effectively. You can set the interval to be 30 seconds or even longer. This does not bother the real users of your website, but it indeed prevents attackers to break into your site in a short time.
Use a CAPTCHA for Authentication
A CAPTCHA is a program widely used to distinguish computers and human beings so as to stop automated requests. When you add a CAPTCHA on your login page, real people can easily pass the test but computers will fail in most cases.
For better prevention and mitigation of brute force attacks, you can even create a completely new page with a CAPTCHA and a “leave a message” box, and enforce all users to complete the page before accessing the admin area.
When adding a CAPTCHA, choose one that requires people to type words instead of making a choice between 2 or 3 buttons. Combining the possibility of guessing the right username and password and that for getting the right CAPTCHA, even a simple CAPTCHA can protect your website effectively.
Prompt Secret Questions for Failed Logins
To improve the security of users’ accounts, you can also require all users to choose some questions and set answers that are known by nobody else. When there is one or two login attempts failing for a certain user, ask for not only the username and password, but also the answer for a secret question for valid authentication.
If you have detected a high volume of attacks, then you can require all users to answer a secret question when they log in no matter whether there is any login failure for their accounts. Doing so keeps automated attacks away from accessing your website.
Lock Down or Limit IP Addresses
If you have root access to the server that your website is on, you can block the IP addresses of the well-known spammers and those regions where many brute force attacks originate from. There are many reliable lists of IP addresses on the Internet available to download.
For a higher level of security, you can even allow certain IP addresses to access the login or admin area of your website in the case that the site is managed by a certain group of people.
It is unnecessary to try all the methods discussed above on a website, but you should combine several of them together to safeguard the login part. Besides, strong username and password is a must that you shall never forget to prompt on your website.