How to Prevent Brute Force Attacks

Posted on by Matthew Stevens | Updated:
Home > Blog > Security > How to Prevent Brute Force Attacks

TLDR: Use strong passwords to avoid a brute force attack.

How strong are your corporate passwords for your site logins and servers? How strict are your password policies for employees? According to Better Buys, passwords with only eight lowercase characters can be cracked in five hours. Luckily, times go up exponentially with character count, so a twelve character password would take two centuries.

Of course, this is all theoretical, but the point is this: if you want to retain control of your data and systems, have a strong password. Because without that, you are susceptible to a brute force attack.

What is a Brute Force Attack? 

A brute force attack is a type of cyber attack where hackers try a long list of passwords to access your site/server. These lists contain millions of different passwords, and they can run scripts that will send post requests to the site/server until they get confirmation that they successfully logged in.

As you read in the above example, computers can now crack passwords much quicker than before with technological advantages. Because of that, you will see rules when creating new accounts that your password needs to be 8+ characters and must include capital letters, numbers, and symbols.

What are the Goals of a Brute Force Attack?

Goals of brute force attacks differ from person to person. The five most common goals of brute force attacks are to:

  1. Steal your personal information.
  2. Use your credentials for credential stuffing.
  3. Use your information for phishing.
  4. Ruin your organization's reputation.
  5. Compromise your website(s).

All of the mentioned goals can be used by the same hacker to do as much damage as he/she can. Businesses that are breached struggle to recover, with 60% of small- to medium-sized businesses (SMBs) shutting down within six months of a breach.

There is one positive side to brute force attacks. Some companies test network security and verify the strength of encryption used on the network. For example, a banking network needs to be secured as much as possible, so they would always test their security to prevent data or money theft.

How Do You Recognize a Brute Force Attack?

Brute force attacks can be recognized by looking for multiple failed login attempts from the same IP or an increase in load on your server from an influx of post requests to your site. You will want to monitor your site closely or purchase hosting with a managed cloud provider to handle monitoring for you. Ensure that the support includes proactive monitoring so that someone is at the helm 24/7/365 to protect your site.

What are the Types of Brute Force Attacks?

There are four different types of brute force attacks. The only difference between the types of brute force attacks is the approach taken to crack your password. The main goal stays the same: breach your site for malicious activities.

1. Dictionary Attack

A dictionary attack starts with the most common passwords and goes through a list of passwords in the dictionary, and is the most basic attack type.

2. Credential Stuffing

Credential stuffing, also known as credential recycling, reuses credentials from other data breaches to get into other places where you used the same credentials. This is why it’s extremely important to have a different password for email, Facebook, PayPal, Amazon, etc.

3. Reverse Brute Force

A reverse brute force attack uses common passwords and goes through a list of possible usernames. One in a million users will have a password like "password" (if the site allows this password). Other passwords, such as 123456 or qwerty, are extremely weak and susceptible to attack. If you are using one of these passwords for any of your sites, change the password now.

4. Hybrid Brute Force 

A hybrid brute force attack usually combines the most common passwords with random characters. This type of attack would then guess "password123", "123456abc".

This infographic shows five ways to prevent a brute force attack. They are to use strong passwords, enable two-factor authentication, restrict the number of failed attempts for login, restrict access from other IPs, and to enable CAPTCHA for your sites.

The Five Steps to Prevent a Brute Force Attack

To get a better idea of how things work, you can compare the server or site with your house, family, and friends with users while comparing hackers with thieves. Opening the front door with the correct key will allow your friends and family to visit you at any time, but this allows thieves to try to pick the lock on your front door as well. There is no permanent solution that is 100% secure, and with each good technological advantage, there comes one negative. But there are specific steps you can take to stay as secure as possible.

Here are the top five steps to prevent a brute force attack:

1. Use Strong Passwords

Using strong passwords is the number one most effective way to prevent a brute force attack. Every extra character in your password will increase the time of breaking into your account, so adding an extra letter symbol at the end would make your password more secure than your current password. Try using a combination of letters, numbers, capitalization, and special characters in each password. Also, you can try using passphrases, which are several words stuck together. If you only want to remember one difficult password, use a password manager to manage all of your passwords for you. 

2. Enable Two-Factor Authentication

If you don’t want to use strong passwords, another way to prevent brute force attacks and breach is to set up two-factor authentication (2FA). This will allow you to log in as you would do everywhere else, but this extra step of sending a notification to your phone to confirm your identity will prevent hackers from breaking into your account. Application-based 2FA is preferable to text-based notifications, but either is better than having a password alone.

3. Restrict Number of Failed Attempts

Another way to secure your accounts is to restrict the number of failed attempts to access your site or server. This one is a double-edged sword. With a limited number of attempts, you count on your employees and customers to never forget their passwords.

4. Restrict Access From Other IPs

By denying access to your admin account on your server from every IP except your own IP, you will prevent any attacks on your server. You will also be the only one able to log in until your IP changes the next day. Yes, you can always contact support to whitelist your IP, but this can be avoided if you get a static IP from your ISP provider. A static IP can be extremely effective if you have the correct permissions set up for all of your server admins.

5. Enable CAPTCHA

Enabling CAPTCHA will disable any bot/script from posting too many requests in a small amount of time. This is a good way to secure your login pages and contact forms to prevent spamming and increasing load on your server. 

Strong Passwords Prevent Brute Force Attacks

In conclusion, when creating a new account, place yourself in the shoes of a hacker, and think how many tries it would take to crack your password. If someone breaks into this account, where else can they reuse the same username and password? Brute force attacks happen every day to many without their knowledge, and it is much easier to prevent it in the beginning while you are still in control over your account. 

Avatar for Matthew Stevens
About the Author

Matthew Stevens

I'm a system administrator, developer, and I'm constantly improving and learning new skills. In my spare time I keep myself in shape with dancing... breakdancing!

View All Posts By Matthew Stevens