Protecting Your Users from Brute-Force Attacks

This post is the second in a series on how to protect users from common online security threats.The previous post in this series explored what users can do to protect themselves from phishing. We now turn our attention to brute-force attacks, which can be used to find passwords to gain access to users’ accounts.If a password is a needle in a haystack of possible passwords, brute-force attacks involve systematically guessing the location of the needle until it is found. The simplest type of attack involves trying passwords from a predefined list of common passphrases, but more sophisticated attacks can involve automatically generating and trying combinations of alphanumeric and special characters. A brute-force attack can succeed in finding a password, given enough guesses and time.The effectiveness of brute-force attacks to find a password depends on two factors:

1. The rate at which passwords can be guessed
2. The size of the ‘search space’ for a password

The rate at which passwords can be guessed has increased exponentially with advances in technology. According to documents provided by Edward Snowden, the NSA is seeking to build a quantum computer that could crack all types of current public key encryption by the sheer potential of its processing power. Distributed systems, where multiple computers work together in a single attack, can also greatly decrease the time taken to find a password.

The size of the ‘search space’ for a password is simply how large the haystack of possible passwords is. For a typical ATM machine, which accepts 4 digit PINs, the search space comprises 10,000 possible passwords (that’s every 4-digit number from 0000 to 9999). Increasing the search space for a password increases the average time a brute-force attack will take to find the password. For example, an 8-character password with at least one number, one uppercase character, and one lowercase character, has a search space of over 200 trillion possible  passwords.Methods to prevent the success of a brute-force attack in finding a password focus on limiting the allowed rate or amount of password guesses and increasing the search space for the password.To limit the speed of a brute-force attack, CAPTCHA phrases can be used to verify that a person is entering the password as humans cannot make guesses at the same rate as a computer. However, this method has received criticism from the perspective of user experience. A better method is to limit the number of guesses allowed by enforcing an account ‘lockout’ after a defined number of incorrect password entries. This means that even the most powerful computer can only make a finite number of guesses before it causes an account to be locked.Increasing the search space for a password can be achieved by requiring a minimum length and level of complexity for passwords set by users. Two-step verification can also be used to achieve the same effect. Two-step verification is where the user is required to confirm his or her identity through a phone call or push notification to a mobile device after the correct password is entered. The advantage of using two-step verification is that a user can immediately prevent the attacker from successfully authenticating and can then change his or her password when an unexpected request for identity verification is received.Egnyte has partnered with Duo Security to offer a robust Two-Step Login Verification system, which IT admins can make mandatory for account users. Egnyte’s advanced authentication package also allows admins to set password policies and enforce timed or indefinite ‘lockouts’ for accounts after a set number of incorrect password entries.