One of the most common attacks faced by developers is Brute-Force Attack. In these attacks, users use any possible combination of letters, numbers and symbols to discover the correct combination to discover the password. If your website needs authentication you are a good target for Brute-Force attacks! A hacker can obtain a password this way, but it may take years to find it. Depending on the length of the password, its complexity may take several years. But a brute-force attack can be done faster, it can use the dictionary or change the words in the dictionary a bit because most people use those words instead of a random and complicated password. These attacks are also called dictionary attacks or hybrid brute-force attacks. These attacks compromise users' accounts and increase unnecessary traffic to your site.

Hackers use a wide range of tools with clever word lists and rules to intelligently and automatically guess users' passwords. Although such attacks are easy to detect, they are not easy to prevent. For example, some HTTP brute-force tools can execute requests through open server proxies, and since each request comes from a different IP, you can not block IP attacks by blocking them. Some tools even try one username and one password at a time, and you can not block each account for one failed operation.

Block accounts

The most obvious way to prevent these attacks is to block accounts after a certain number of failed attempts. Accounts can be blocked for a certain period of time or the accounts must be activated by the site administrator. However, blocking accounts is not always the best way to prevent these attacks, because one can easily abuse the rules and block a large number of accounts. Some of the problems related to this way are:

  • An attacker can block a large number of accounts
  • Because you can not block an account that does not exist and only valid accounts are locked, an attacker can use this to remove the username using the error response associated with the account being blocked.
  • An attacker can be diverted by blocking a large number of accounts and sending support calls to recover the account.
  • An attacker can permanently block an account, even seconds after activating the site admin. Block it again.
  • Blocking accounts is ineffective for attacks that are slow and try only a few passwords per hour.
  • Blocking accounts is ineffective against attacks that test a password against a list of usernames
  • Blocking accounts is ineffective against attacks that use a list (password / username) and guess correctly the first time.

Blocking accounts is sometimes effective, but in a controlled environment. In most cases, however, blocking accounts is not enough to stop brute-force attacks. For example, consider an auction site where several bidders are competing for a product. If the auction site blocks the accounts, one bidder can block other people's accounts at the last minute, block any bids, and win. An attacker can use the same technique to block sensitive financial transactions and so on.


As explained, blocking accounts is not a complete way to counter these attacks. But there are other tricks to counteracting these attacks. Because the success of these attacks depends on time, an easy solution is to inject random pauses when checking the password. Adding a pause of even a few seconds can slow down an attack, but it does not bother most users when entering the site. Note that although adding a delay can slow down a single-thread attack, it is less effective if the attacker sends multiple requests at the same time. 

Another solution is to block an IP with several failed operations. But the problem with this solution is that you inadvertently block groups of users by blocking a proxy server used by an ISP. Another problem with this solution is that many tools use a list of proxies and send two or three requests with each IP and then move on to the next one. An attacker can easily bypass the IP blocking process. Most sites will not block accounts after a successful operation, so an attacker can try two or three requests from each proxy. A hacker with a list of 1000 proxies can try 2000 or 3000 passwords without blocking accounts. One simple yet effective solution is to not design your website behavior to respond to unsuccessful operations. For example, most websites send the "HTTP 401 error" code for the wrong password. Although some websites return the code "HTTP 200 SUCCESS", it redirects the user to a page and explains that he entered the password incorrectly. This tricks some systems, but it is also easy to bypass. A better solution is to use different error messages each time, or sometimes allow the user to go to a page and force the user to enter the password again.

Some tools may allow an attacker to enter a string to look for, indicating that the login operation failed. For example, if the page contains the phrase "Bad username or password", it means that the operation failed and tries the next username or password. A simple way to deal with this is to use phrases that are used when entering successfully.

Force the user to answer a hidden question after two or more unsuccessful attempts. This not only interferes with automatic attacks, but also prevents an attacker from gaining access even if he or she has entered the username and password correctly.

Other techniques you can consider are:

  • For key users who want to block their account against these types of attacks, allow them to log in only from a specific IP.
  • Use captcha to prevent automatic attacks
  • Instead of locking your account, lock it with limited access.

Hackers can often bypass many techniques on their own. But by combining several combinations you can significantly reduce these attacks. Although it is difficult to completely prevent these attacks, it is easy to detect because each time a login fails, a record with HTTP 401 code is recorded in the server logs. It is important to monitor your server logs for these types of attacks in specific situations. Code 200 means that the attacker has found a valid password.

Conditions that can indicate brute-force attacks or abuse of an account:

  • Lots of failed logins from one IP
  • Attempt to log in with multiple usernames from one IP
  • Attempt to log in to an account on behalf of multiple IPs
  • Try to log in by entering your username and password in alphabetical order
  • Attempting to log in with usernames or passwords such as ownsyou, washere, zealots, hacksyou or similar that are commonly used by hackers

These attacks are difficult to stop, but with careful planning and multiple countermeasures, you can limit the amount of exposure you can get. Finally, the best way to prevent this is for users to use strong password rules: use unpredictable long passwords, avoid dictionary words, prevent password reuse, and change passwords regularly.

Powered by Froala Editor