What is a Brute Force Attack?

A brute force attack is exactly what it sounds like. It’s an attempt to guess a password or PIN by a process of trial and error. You might think that in this day and age, there’s no way that such a basic form of attack should be able to succeed. You’d be right, it shouldn’t, but it often does because businesses fail to take effective measures against it.

Defending yourself against a brute force attack

The good news is that defending yourself against a brute force attack is more about effective processes than expensive software tools. Here are the areas you must address to keep your website, and your business, safe from this threat. These are as follows: the default admin login panel, obvious usernames, too many admin users, weak passwords, block users who repeatedly enter their password incorrectly, monitor your website’s traffic.

How to Prevent Brute Force Attacks?

The default admin login panel

All the main content management systems used to create websites are open source. This means that any cybercriminal can learn the default admin login panel with just a quick internet search. Changing this is, literally, the work of a few minutes and provides a meaningful improvement to your website’s security, especially with regards to brute force attacks.

Obvious usernames

Brute Force Attack

Putting all your username into an obvious, standardized format may make life more convenient for your administrators but it also makes life more convenient for brute force attackers. Remember that brute force attackers need to know two pieces of information to get the third. They need your login URL and at least one user name. The harder you make it for them to get either (or preferably both) of these, the more protection you give your website.

As an absolute minimum, avoid using blatantly obvious names like “admin” or close derivatives of it like “admin1”. This is effectively just asking for trouble.

Too many admin users

Quite bluntly, you need to think of every admin login as a potential attack vector. The more of them you have, the more you expose yourself to the threat of attack. Work out the minimum number of admin users you need for your website to function effectively and only issue this number of admin logins. What’s more, there needs to be a robust process to ensure that all admin logins are promptly revoked as soon as they cease to be needed.

Weak passwords

The harsh reality is that it is virtually impossible to force people to use strong and unique passwords. If you try, for example, by assigning them a password and refusing to let them change it, they will simply end up writing it down and/or saving it electronically. You can, however, encourage and motivate them to do so.

Generally, the best way to achieve this is to phrase the issue in a way that highlights that using a strong password is in their best interests too. For example, you can point out that website attacks damage the company which pays their salary.

You can, and should, enable two-factor authentication whenever possible. Be very aware, however, that this is, sadly, not a silver bullet for login security. It can be compromised, especially if you implement it via text message rather than via token as SMBs often do (for reasons of convenience and cost). It is, however, a solid boost for your website’s security and a great defense against brute force attacks.

Block users who repeatedly enter their password incorrectly

Like changing the default admin panel, this is such a simple measure and it can make such a difference, particularly in the case of brute force attacks. For completeness, it’s also recommended to log people out automatically after they have been idle for a certain period. This won’t help against brute force attacks but it will help a lot against other forms of security threat.

Monitor your website’s traffic

If you’re running a business website, you really should invest in a website vulnerability scanner. These are available from a wide range of vendors and the different services have their different capabilities but any decent product will have an anti-malware scanner and a website applications firewall. Overall, you need both. In the context of brute force attacks, you need a firewall and preferably a ping-testing service as well.

Use these, brute force attack prevention to monitor your network’s traffic. This may allow you to pick up on brute force attacks in progress due to the traffic they create. It certainly isn’t guaranteed, but it’s definitely worth trying.

Please click here now to have your website scanned, for free, by cWatch from Comodo.

Protect Website


DNS Resolver

© 2024 Comodo Security Solutions, Inc