Regardless of whether a brute force attack targets a system's central password file or, as in the case of iCloud, the attacker has the victim's Apple ID, the precedents prove the importance of protecting themselves from this pervasive method. to crack passwords. In general, most users know the basic principles for creating strong passwords : combinations consisting of different types of characters should be used; in the best case, upper and lower case letters are used, as well as numbers and special characters . And of course, the longer the password, the harder it will be to hack.
The scenario for creating passwords for online services is a bit more complicated, as it is subject to the conditions set by the provider. Typical requirements are a maximum length of eight to ten characters and often a limited number of letters and numbers , which is not very satisfactory without the additional security measures. In these cases it is necessary that you are aware of the precautions and measures of the web project operators with regard to brute force attacks. If you are the administrator of a website with a login mechanism, all this responsibility will fall on your shoulders. For this you have two possible approaches:
- Ensuring protection of the password mechanism
- Establish a multi-factor authentication method
Protecting the password mechanism should be a standard component in access masks, however, as the aforementioned iCloud scandal shows, this is not always the case. This protection process refers to implementing strategies that make it difficult for the brute force software to work. Thus, in case the user or attacker enters an incorrect password, the option to enter another password will appear only after a short period of time . It is also possible to increase the wait time as the number of unsuccessful attempts increases. To go a step further, as Apple did after the attack, it is possible to completely lock the user's account after a certain number of registration attempts .
Multi-factor authentication methods are often offered as an option by many providers. With these, you are making the registration process a little more difficult, because in addition to the password, it is necessary for the user to enter an additional component. This component can be the answer to a secret question, a PIN or a so-called captcha . The latter are small tests that will allow the notifying authority to determine whether it is a human user or, as is typical in brute force attacks, a robot.