Brute force attack mitigation 101

These days, any hacker worth the name will not bother with just throwing CPU power at the brute force problem…

You will often hear the much-repeated, yet still mistaken, mantra that there’s nothing you can do to stop a brute force attack. The truth is that while the odds are stacked in favour of the determined attacker, that doesn’t mean that mitigation methods cannot be effective.

Trying to write a meaningful history of the brute force attack is pointless. The bad guys have been trying to guess passwords to accounts that don’t belong to them since, well, forever. Back in the day, hackers would use various techniques for educating those guesses; everything from dumpster diving (where skips and bins outside businesses were raided in order to find documentation containing login information), through to social engineering (conning staff into handing over the password), and, of course, the use of commonly implemented weak strings.

It’s the latter that quickly became an automated task, with savvy hackers setting a database of likely words on the task as a batch process, and then sitting back until the crack was complete. These became known as dictionary attacks, and cracking tools such as Cain and Abel, John the Ripper, and L0phtCrack became popular methods of executing them.

Click here to read complete article