Illustration of a shield against a gradient background.
13 min read

How to prevent brute force attacks

Matthew Stevens
Security

Key points

  • Brute force attacks pose a significant threat to digital security, but can be prevented through strong passwords, two-factor authentication, and limiting login attempts.
  • Effective detection and monitoring strategies, including log analysis and intrusion detection systems, are crucial for identifying and responding to potential attacks quickly.
  • Partnering with a security-focused hosting provider like Liquid Web offers comprehensive protection against brute force attacks through multi-layered security measures and customizable solutions.

Shop DDoS protected VPS hosting

Imagine a thief trying every key on a massive keyring to break into your home. Now picture that happening to your online accounts, but at lightning speed. That’s essentially what a brute force attack is, and it’s a bigger problem than you might think.

Recent findings from Verizon’s 2024 Data Breach Investigations Report paint a worrying picture: a staggering 21% of all basic web application attacks use brute force techniques. In other words, for every five attempts to break into a web application, one relies on this method. 

Why should this keep you up at night? Because a successful attack can lead to stolen data, drained bank accounts, and the kind of reputation damage that makes customers think twice before trusting a business again. But don’t panic! 

While brute force attacks are a serious threat, they’re not unbeatable. In this article, we’ll break down what these attacks are, why they’re so popular among cybercriminals, and most importantly, how you can protect yourself and your business from becoming the next target.

What is a brute force attack? 

A brute force attack is a type of cyber attack where hackers try a long list of passwords to access your site/server. These lists contain millions of different passwords, and they can run scripts that will send post requests to the site/server until they get confirmation that they successfully logged in.

As you read in the above example, computers can now crack passwords much quicker than before with technological advantages. Because of that, you will see rules when creating new accounts that your password needs to be 8+ characters and must include capital letters, numbers, and symbols.

What are the types of brute force attacks?

There are four different types of brute force attacks. The only difference between the types of brute force attacks is the approach taken to crack your password. The main goal stays the same: breach your site for malicious activities.

1. Dictionary attack

A dictionary attack starts with the most common passwords, goes through a list of passwords in the dictionary, and is the most basic attack type.

Dictionary attacks can be surprisingly effective against users who rely on common or weak passwords. For instance, in the infamous LinkedIn data breach of 2012, attackers successfully cracked millions of passwords due to weak hashing algorithms and the prevalence of common passwords. However, this method has limitations. It’s largely ineffective against complex, unique passwords that don’t appear in standard dictionaries or password lists.

2. Credential stuffing

Credential stuffing, also known as credential recycling, reuses credentials from other data breaches to get into other places where you used the same credentials. This is why it’s extremely important to have a different password for email, Facebook, PayPal, Amazon, etc.

The danger of credential stuffing lies in its exploitation of human nature. Many users, overwhelmed by the number of online accounts they manage, reuse the same password across multiple platforms. This practice turns a single breach into a potential goldmine for attackers. 

A prime example of credential stuffing’s effectiveness occurred in 2019 when Disney+ launched. Within hours, numerous user accounts were hijacked. Attackers used credentials from previous, unrelated breaches to gain unauthorized access, highlighting the cascading effect of password reuse.

3. Reverse brute force

A reverse brute force attack uses common passwords and goes through a list of possible usernames. One in a million users will have a password like “password” (if the site allows this password). Other passwords, such as 123456 or qwerty, are extremely weak and susceptible to attack. 

To prevent reverse brute force attacks, organizations should implement strong password policies, use CAPTCHAs to prevent automated attempts, and limit the number of allowed login attempts. These measures significantly reduce the attack’s effectiveness by making it time-consuming and resource-intensive for attackers.

4. Hybrid brute force 

A hybrid brute force attack usually combines the most common passwords with random characters. This type of attack would then guess “password123”, “123456abc”, etc.

The 2013 Adobe data breach is a stark reminder of the potency of hybrid attacks. Attackers used sophisticated hybrid techniques to crack millions of passwords, even those that users thought were relatively secure due to character substitutions or additions.

The eight steps to prevent a brute force attack

There is no permanent solution that is 100% secure, and with each good technological advantage, there comes a negative. But there are specific steps you can take to stay as secure as possible.

Here are the top eight steps to prevent a brute force attack:

1. Use strong passwords

Using strong passwords is the number one most effective way to prevent a brute force attack. 

When creating passwords, aim for a minimum of 12 characters, incorporating a mix of uppercase and lowercase letters, numbers, and special symbols. Consider using passphrases – a series of random words strung together – as they are typically longer and easier to remember than complex single-word passwords.

For example, “correct horse battery staple” is more secure and memorable than “P@ssw0rd123!”. Additionally, encourage the use of unique passwords for each account to mitigate the risk of credential stuffing attacks.

For those struggling to manage multiple complex passwords, password managers offer a secure solution. These tools generate and store strong, unique passwords for all your accounts, requiring you to remember only one master password.

2. Enable two-factor authentication

If you don’t want to use strong passwords, another way to prevent brute force attacks and breaches is to set up two-factor authentication (2FA). This will allow you to log in as you would do everywhere else, but this extra step of sending a notification to your phone to confirm your identity will prevent hackers from breaking into your account. 

Time-based one-time passwords (TOTP) generated by authenticator apps are generally more secure than SMS-based codes. These apps generate temporary codes that change every 30 seconds, making them significantly harder to intercept or predict.

For even higher security, consider hardware security keys. These physical devices plug into your computer or connect via NFC to your mobile device, providing a solid defense against phishing and man-in-the-middle attacks.

When implementing 2FA, educate users about its importance and provide clear instructions for setup. Consider making 2FA mandatory for all admin accounts and strongly encouraged for regular users. Remember to also implement backup methods for account recovery if users lose access to their second factor.

3. Restrict number of failed attempts

Limiting the number of failed login attempts is an effective strategy to thwart brute force attacks. However, it’s important to strike a balance between security and user convenience.

Instead of a simple lockout after a set number of attempts, consider implementing a progressive delay system. For example:

  • After 3 failed attempts, introduce a 5-second delay.
  • After 5 failed attempts, increase the delay to 30 seconds.
  • After 10 failed attempts, lock the account for 1 hour.

This approach frustrates automated attacks while giving legitimate users who may have forgotten their password a chance to access their account.

Additionally, implement a system to notify users of failed login attempts. This can alert them to potential unauthorized access attempts and prompt them to take action, such as changing their password or enabling additional security measures.

4. Restrict access from other IPs

By denying access to your admin account on your server from every IP except your own IP, you will prevent any attacks on your server. You will also be the only one able to log in until your IP changes the next day. Yes, you can always contact support to whitelist your IP, but this can be avoided if you get a static IP from your ISP provider. A static IP can be extremely effective if you have the correct permissions set up for all of your server admins.

For admin accounts, consider whitelisting specific IP addresses. This ensures that even if credentials are compromised, an attacker cannot access the account from an unauthorized location. However, be mindful of the challenges this can pose for remote work scenarios.

For regular users, implement geolocation-based restrictions. Flag or block login attempts from countries where you don’t typically have users or from locations known for high rates of cyber attacks.

Implement a system for users to easily report if they’re traveling and may need to access their account from a new location. This helps prevent legitimate users from being locked out while maintaining strong security measures.

5. Enable CAPTCHA

Enabling CAPTCHA will disable any bot/script from posting too many requests in a small amount of time. This is a good way to secure your login pages and contact forms to prevent spamming and increasing load on your server. 

Modern CAPTCHAs, like reCAPTCHA v3, work in the background to analyze user behavior and determine if the interaction is likely human or bot. This approach allows you to challenge only suspicious traffic, improving the user experience for legitimate visitors.

When implementing CAPTCHA:

  • Use adaptive CAPTCHAs that increase in difficulty based on risk assessment.
  • Implement CAPTCHAs not just on login pages, but also on password reset and registration forms.
  • Consider using audio CAPTCHAs as an alternative for visually impaired users.

Remember that while CAPTCHAs are effective against many automated attacks, they’re not foolproof. Sophisticated attackers may use CAPTCHA-solving services or machine learning to bypass these protections. Therefore, CAPTCHA should be used in conjunction with other security measures, not as a standalone solution.

6. Use unique login URLs

Default login URLs are often the first target for attackers. Strengthen your security by implementing custom, hard-to-guess login URLs. For instance, instead of using “/admin” or “/login”, create a unique path like “/secure-access-point-2023”.

Consider implementing separate login URLs for different user roles. For example, use one URL for regular users and a completely different one for administrative access. This separation adds an extra layer of security for your most sensitive accounts.

Implement server-side measures to restrict access to these login pages. Use .htaccess files or similar server configurations to limit access based on IP addresses or other criteria. This can help prevent automated scanning tools from even discovering your login pages.

Remember to communicate these unique URLs securely to authorized users. Never publish them publicly or include them in easily accessible documentation.

7. Disable root SSH logins

For server security, especially in Linux environments, disabling root SSH logins is a critical step. Instead of allowing direct root access, implement the following best practices:

  • Create individual user accounts with sudo privileges for administrative tasks.
  • Configure SSH to disallow root logins by setting “PermitRootLogin no” in the sshd_config file.
  • Use key-based authentication instead of password authentication for SSH access.
  • Implement IP whitelisting for SSH access, allowing connections only from trusted IP addresses.

Regularly audit SSH access logs and consider using intrusion detection systems to monitor for suspicious SSH activity. Implement automated alerts for any attempted root logins or unusual SSH connection patterns.

8. Implement Web Application Firewalls (WAFs)

Web Application Firewalls provide an additional layer of security against various web-based attacks, including brute force attempts. When implementing a WAF:

  • Configure it to detect and block suspicious traffic patterns associated with brute force attacks.
  • Implement rate limiting to prevent rapid-fire login attempts from a single source.
  • Use custom rules to block known attack signatures and IP addresses with a history of malicious activity.
  • Regularly update WAF rules to protect against emerging threats and new attack vectors.

Consider both cloud-based and on-premises WAF solutions based on your infrastructure and security requirements. Cloud-based WAFs can offer advantages in terms of scalability and ease of management, while on-premises solutions may provide more granular control.

Integrate your WAF with other security systems, such as your SIEM (Security Information and Event Management) tool, to provide a comprehensive view of your security posture and enable faster response to potential threats.

Advanced detection and monitoring strategies against brute force threats

Unlike preventive measures such as strong password policies or login attempt limitations, detection and monitoring focus on identifying attacks as they occur or after they’ve happened. Here are some advanced strategies: 

Log analysis

Regular analysis of server logs is essential for identifying potential brute force attempts. Look for:

  • Multiple failed login attempts from the same IP address.
  • Rapid succession of login attempts.
  • Login attempts outside of normal business hours.
  • Unusual patterns in usernames being tried.

Automated log analysis tools can help process large volumes of log data and flag suspicious activities for further investigation.

Intrusion detection systems

Implementing an Intrusion Detection System (IDS) provides an additional layer of security. An IDS can monitor network traffic in real time, detect patterns indicative of brute force attacks, alert security personnel to potential threats, and integrate with other security systems for a coordinated response. Both network-based and host-based IDS solutions can be valuable in detecting brute force attempts.

User activity monitoring

Monitoring user activity helps establish baseline behavior and identify anomalies that could indicate a compromised account. 

Key aspects include tracking login times and locations, monitoring access to sensitive resources, identifying unusual data access or transfer patterns, and flagging sudden changes in user behavior. User and Entity Behavior Analytics (UEBA) tools can automate this process, using machine learning to detect anomalies.

Server log monitoring

Real-time monitoring of server logs is important for rapid response to potential attacks. This involves setting up alerts for specific events (e.g., multiple failed logins), using SIEM tools to correlate data from multiple sources, and establishing a 24/7 monitoring process, either in-house or through a managed security service provider. Regularly reviewing and updating monitoring rules is essential to adapt to new threat patterns.

Choose Liquid Web for brute force attack prevention

Brute force attacks can have devastating consequences for individuals and organizations alike, from data breaches to financial losses and reputational damage. Luckily, by implementing a multi-layered approach to security, it’s possible to reduce the risk of successful attacks.

Using strong, unique passwords is a great first step. Adding two-factor authentication provides an important extra layer of protection. Setting up detection and monitoring systems also helps quickly identify and respond to potential threats.

However, as online dangers become more sophisticated, security measures must keep pace. For many organizations, partnering with a security-focused hosting provider can make a significant difference. Liquid Web is a solid option in this field, offering a comprehensive approach to cybersecurity. Their services include constant monitoring, customizable security options, and dependable backup solutions.

So, why wait? Contact Liquid Web today to explore how their security solutions can be customized to protect your online presence and provide peace of mind.

Shop secure web hosting

Note on the original publish date: This blog was originally published in December 2020. It has since been updated for accuracy and comprehensiveness.

Related articles

Dedicated Server 9 min read
Securing your data: An introduction to data isolation Luke Cavanagh
Security 4 min read
Top 5 Ecommerce Security Needs Kerri Molitor
Security 2 min read
PCI Compliant Hosting With Liquid Web Liquid Web
Security 9 min read
What Is Enterprise Cybersecurity? Definition and Best Practices Michelle Almendarez
Security 8 min read
How to Securely Run Traditional Software and Applications Kelly Goolsby
Security 6 min read
What is Disaster Recovery-as-a-Service (DRaaS)? Mohammed Noufal

Wait! Get exclusive hosting insights

Subscribe to our newsletter and stay ahead of the competition with expert advice from our hosting pros.

Loading form…