TL;DR
Brute force attacks try to guess usernames and passwords to get into customer accounts. We’ll show you how to slow down login attempts, lock accounts after too many failures, and use strong password policies to make these attacks much harder.
1. Rate Limiting
Rate limiting restricts the number of login attempts from a single IP address or user account within a specific timeframe. This makes it difficult for attackers to quickly try lots of combinations.
- Choose a rate limit: Start with something like 5 failed attempts in 5 minutes per IP address. You can adjust this based on your application’s normal usage patterns.
- Implement the logic: Your application needs to track login attempts and enforce the limits. Most web frameworks have built-in features or middleware for rate limiting. Here’s an example using a simple in-memory store (for demonstration – use Redis or a database in production):
# Python Example (Flask)
from flask import Flask, request, session
import time
app = Flask(__name__)
login_attempts = {}
@app.route('/login', methods=['POST'])
def login():
ip_address = request.remote_addr
if ip_address in login_attempts:
last_attempt_time, attempt_count = login_attempts[ip_address]
current_time = time.time()
if current_time - last_attempt_time < 300 and attempt_count >= 5: # 5 attempts in 5 minutes
return "Too many failed login attempts", 429
login_attempts[ip_address] = (current_time, attempt_count + 1)
else:
login_attempts[ip_address] = (time.time(), 1)
# ... your actual login logic here ...
Important: Don’t rely solely on IP addresses for rate limiting, as attackers can use proxies or VPNs to change their IP.
2. Account Lockout
After a certain number of failed login attempts, temporarily lock the account. This prevents further guessing and alerts the user that something might be wrong.
- Set a lockout threshold: For example, lock an account after 10 failed attempts.
- Implement lockout duration: Lock the account for a reasonable period (e.g., 30 minutes).
- Store lockout information: Keep track of locked accounts and their unlock times in your database.
- Notify users: Send an email to the user when their account is locked, explaining why and how to unlock it.
# Example Database Schema (simplified)
CREATE TABLE accounts (
id INT PRIMARY KEY,
username VARCHAR(255) NOT NULL,
password_hash VARCHAR(255) NOT NULL,
locked BOOLEAN DEFAULT FALSE,
lockout_time TIMESTAMP
);
3. Strong Password Policies
Enforce strong password requirements to make it harder for attackers to crack passwords using brute force or dictionary attacks.
- Minimum length: Require a minimum password length (e.g., 12 characters).
- Complexity: Enforce the use of uppercase letters, lowercase letters, numbers, and symbols.
- Password history: Prevent users from reusing previous passwords. Store a hash of recent passwords to check against.
- Regular password changes: Encourage (or require) users to change their passwords periodically.
Consider using a password strength meter in your application to guide users towards creating strong passwords.
4. Multi-Factor Authentication (MFA)
MFA adds an extra layer of security by requiring users to provide a second form of verification, such as a code from their phone or an authenticator app. This makes it much harder for attackers to gain access even if they have the correct password.
- Choose an MFA method: Options include SMS codes, authenticator apps (e.g., Google Authenticator), and security keys (e.g., YubiKey).
- Integrate with your application: Implement MFA functionality in your login process.
- Encourage adoption: Make MFA easy to use and promote its benefits to users.
5. Monitor Login Attempts
Keep an eye on failed login attempts and other suspicious activity.
- Log all login attempts: Record the username, IP address, timestamp, and success/failure status of each attempt.
- Set up alerts: Configure alerts to notify you of unusual patterns, such as a large number of failed attempts from a single IP address or account.
- Review logs regularly: Look for potential attacks and investigate any suspicious activity.