Protecting Yourself Against Brute Force Attacks

Protecting Yourself Against Brute Force Attacks
May 20, 2013 Webmaster

protecting-your-website-from-brute-force-attacks

WordPress, the internet’s biggest and most frequently used blogging site, was recently targeted by brute force attacks last week. If you’re not a blogger, then this shouldn’t be much cause for concern for you. Wrong. Regardless of whether or not you’re website is that for blogging or social media, brute force attacks can occur rather quickly and once it has begun, stolen information could all but be lost forever. If this still doesn’t alarm website owners, take note that WordPress is one of the biggest websites on the web. Even if it is open source, it is still protected but was eventually torn down.

But what are brute force attacks? When you think about the term used, you’d probably think of a back-alley mugging or a schoolyard fist fight. A brute force attack is basically an attempt to recover password information from a website. A brute force attack is an exhaustive keysearch. As one might have inferred, a brute force attack (BFA) is a keysearch or using different and all common words that are used as passwords in an attempt to compromise user accounts. BFAs do not decrypt or is not a decryption attack (reverse engineering passwords) but rather simply allowing a bot program to run a series of possible passwords over many accounts until it successfully logs in.

Threat

Brute force attacks can be used to try and compromise the accounts from many websites. Aside from the very obvious threat of a compromised account (especially with fragile information such as social security number, bank account, etc), accounts accessed via BFAs can be used for something even more threatening.

The attacks on WordPress the previous week went hand in hand with DDoS attacks on US banks. These attacks have already occurred for months on end probably as a means to send a message to Wall Street. DDoS attacks or Distributed Denial of Service attacks are network traffic attacks. An overwhelming number of users or user accounts that are remotely used, if logged in at the exact time or near exact timing to each other can lead to server crashes simply because it cannot take the sheer amount of information being inputted. DDoS attacks are common all throughout the internet and BFAs are often used to work hand in hand or even be the central use of DDoS attacks. Some websites block random traffic by adding user logins to prevent too much information from being fed to the server. BFA compromised accounts can be used to deliberately log in and crash the server and what’s more, it can be used over and over again, grinding the website to a halt. This can seriously impair website operation and in the case of banks or WordPress, halt entire operations.

Countermeasures

Brutal force attacks, though threatening, have a very fatal flaw. These require special equipment for entering the possible passwords. BFAs can easily access commonly used passwords (BFA computers have a dictionary of common passwords) but can take days, weeks, months or even years to get less common passwords. Hardware limits also prevent massive BFAs unless there are large numbers of computers alternating attack attempts.

Websites may also use protection bots to prevent brutal force attacks. These bots prevent access to the website after a certain number of wrong passwords are met. This is perhaps the most common method of BFA protection there is in most websites. This has the added benefit of being completely automated, meaning you can leave the bot going about its business protecting the website. It is also integrated into the website as well; there are other protection or encryption programs that require it to be routed to the host server. This type of protection is far superior to the stand alone bot but it does cost a hefty amount depending on the reliability of the protection. Most anti-virus brands have these types of bots on a special offer.

Another much simpler option is to have multiple authentication attempts on login. This allows multiple authentication requests in order to access the account. Incorporating the bot for limited login attempts can further increase the protection of access. Most websites would put captcha phrases in order to prevent bots from entering. Captcha phrases cannot be read by BFA bots and can significantly stop the progress of BFAs.

Probably the best of these security measures is also the simplest one. Use a complex, uncommon password with a combination of letters and numbers (and symbols if permitted).