My friends and family are under attack in Ukraine. Donate to protect them directly or help international organizations.

Brute-force countermeasures

June 10th, 2014

Password brute-forcing refers to trying all password permutations until the attacker finds the right one. Here are some of the most common ways to mitigate that risk:

  • Increase the length of the password.
    With every additional character, the number of permutations goes up exponentially. Say you use 26 letters and 7 characters. You'll get 8 billion combinations. Increase that to 8 characters and you get about 200 billion.
  • Increase the number of possible characters.
    With 26 letters, both uppercase and lowercase, numbers and symbols, you get to 94 possibilities. This translates into 6 quadrillion possibilities for the 8-character password.

The human factor should not be ignored here. People often use letters in the beginning and numbers at the end. Many people also use common combinations such as "password", "123456" and "admin". Attackers have a dictionary of these common passwords and can break many of those in less than a second.

Although it's good practice to force users to use more than just letters, some websites are overdoing it by forcing users to enter at least one number, uppercase, lowercase, punctuation, symbol, etc. This can lead to very poor user experience, especially if you don't tell them the password requirements before validating the form.

  • Requiring a captcha after a number of unsuccessful attempts.
    A user may make a legitimate error, but after 3 or 4 attempts, it becomes suspicious. Captchas (type the words that you see in a picture) are used to make sure that it's a human instead of a computer. Computers have gotten increasingly good at decoding captchas, but at least it slows them down.
  • Sending a code to the user's cellphone.
    Similar to captcha, you can send a one-time code to the user's cellphone that will have to be entered online to continue. This is why so many websites now ask you for your number in the name of security.
  • Locking an account after a number of unsuccessful attempts.
    This is something that all banks do because the impact of somebody breaking in is can be devastating. The idea is that too many attempts will cause the account to be locked and the user will have to go through additional security to unlock it, such as calling by phone. An attacker can't possibly try quadrillions of passwords under these circumstances.

There is another less common countermeasure. We know that with a simple desktop computer, a password such as "gotsec45" can be broken in a few minutes. Imagine how quickly it will go with a room full of powerful computers.

  • Add a delay between unsuccessful attempts.
    If you force even a 5-second delay between attempts, it won't matter how powerful the attacker's computer is. It will take almost 32 thousand years to try all combinations to an 8-character password comprised of only lowercase letters.

Don't rely on a single method. Use a combination of methods that makes sense for your business type and your users. Go ahead, give those methods a spin.

Do you use a countermeasure not mentioned here? Share it in the comments!

Previous: Terms of Service: do you read them? Next: How to kill creativity, part 2