Defending Brute Force Attacks

Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything usable. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible, but that is not the only defense.

  • Increase password length. More characters equal more time to brute force crack.
  • Increase password complexity. More options for each character also increase the time to brute force crack.
  • Limit login attempts. Brute force attacks increment a counter of failed login attempts on most directory services – a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress.
  • Implement Captcha. Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress.
  • Use multi-factor authentication. Multi-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success.

Generate Complex Password