Is brute force a probable threat even if you enable CAPTCHA and rate limit logins?

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.

Is brute force still a probable threat?

authentication brute-force captcha

share|improve this question

edited 4 hours ago

Anders

45.7k21127153

asked 4 hours ago

Sayan

1,246416

add a comment | 

up vote
1
down vote

favorite

Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.

Is brute force still a probable threat?

authentication brute-force captcha

share|improve this question

edited 4 hours ago

Anders

45.7k21127153

asked 4 hours ago

Sayan

1,246416

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.

Is brute force still a probable threat?

authentication brute-force captcha

share|improve this question

edited 4 hours ago

Anders

45.7k21127153

asked 4 hours ago

Sayan

1,246416

Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.

Is brute force still a probable threat?

authentication brute-force captcha

authentication brute-force captcha

share|improve this question

edited 4 hours ago

Anders

45.7k21127153

asked 4 hours ago

Sayan

1,246416

share|improve this question

edited 4 hours ago

Anders

45.7k21127153

asked 4 hours ago

Sayan

1,246416

share|improve this question

share|improve this question

edited 4 hours ago

Anders

45.7k21127153

edited 4 hours ago

Anders

45.7k21127153

edited 4 hours ago

Anders

45.7k21127153

45.7k21127153

asked 4 hours ago

Sayan

1,246416

asked 4 hours ago

Sayan

1,246416

asked 4 hours ago

Sayan

1,246416

1,246416

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
2
down vote

Maybe.

it depends on how you define "brute force".

A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.

There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.

User: Jim
PW: password, password123, letmein, secret

User: Bob
PW: password, password123, letmein, secret

User: Alice
PW: password, password123, letmein, secret

This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.

I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.

share|improve this answer

edited 3 mins ago

Anders

45.7k21127153

answered 3 hours ago

Daisetsu

1,643412

add a comment | 

up vote
1
down vote

The protections you describe are good ones that you should consider, but there can still be weaknesses:

• Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).


• Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


• 
  Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.

share|improve this answer

answered 4 hours ago

Anders

45.7k21127153

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195252%2fis-brute-force-a-probable-threat-even-if-you-enable-captcha-and-rate-limit-login%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

Maybe.

it depends on how you define "brute force".

A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.

There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.

User: Jim
PW: password, password123, letmein, secret

User: Bob
PW: password, password123, letmein, secret

User: Alice
PW: password, password123, letmein, secret

This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.

I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.

share|improve this answer

edited 3 mins ago

Anders

45.7k21127153

answered 3 hours ago

Daisetsu

1,643412

add a comment | 

up vote
2
down vote

Maybe.

it depends on how you define "brute force".

A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.

There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.

User: Jim
PW: password, password123, letmein, secret

User: Bob
PW: password, password123, letmein, secret

User: Alice
PW: password, password123, letmein, secret

This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.

I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.

share|improve this answer

edited 3 mins ago

Anders

45.7k21127153

answered 3 hours ago

Daisetsu

1,643412

add a comment | 

up vote
2
down vote

up vote
2
down vote

Maybe.

it depends on how you define "brute force".

A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.

There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.

User: Jim
PW: password, password123, letmein, secret

User: Bob
PW: password, password123, letmein, secret

User: Alice
PW: password, password123, letmein, secret

This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.

I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.

share|improve this answer

edited 3 mins ago

Anders

45.7k21127153

answered 3 hours ago

Daisetsu

1,643412

Maybe.

it depends on how you define "brute force".

A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.

There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.

User: Jim
PW: password, password123, letmein, secret

User: Bob
PW: password, password123, letmein, secret

User: Alice
PW: password, password123, letmein, secret

This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.

I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.

share|improve this answer

edited 3 mins ago

Anders

45.7k21127153

answered 3 hours ago

Daisetsu

1,643412

share|improve this answer

share|improve this answer

edited 3 mins ago

Anders

45.7k21127153

edited 3 mins ago

Anders

45.7k21127153

edited 3 mins ago

Anders

45.7k21127153

45.7k21127153

answered 3 hours ago

Daisetsu

1,643412

answered 3 hours ago

Daisetsu

1,643412

answered 3 hours ago

Daisetsu

1,643412

1,643412

add a comment | 

add a comment | 

up vote
1
down vote

The protections you describe are good ones that you should consider, but there can still be weaknesses:

• Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).


• Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


• 
  Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.

share|improve this answer

answered 4 hours ago

Anders

45.7k21127153

add a comment | 

up vote
1
down vote

The protections you describe are good ones that you should consider, but there can still be weaknesses:

• Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).


• Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


• 
  Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.

share|improve this answer

answered 4 hours ago

Anders

45.7k21127153

add a comment | 

up vote
1
down vote

up vote
1
down vote

The protections you describe are good ones that you should consider, but there can still be weaknesses:

• Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).


• Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


• 
  Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.

share|improve this answer

answered 4 hours ago

Anders

45.7k21127153

The protections you describe are good ones that you should consider, but there can still be weaknesses:

• Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).


• Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


• 
  Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.

share|improve this answer

answered 4 hours ago

Anders

45.7k21127153

share|improve this answer

share|improve this answer

answered 4 hours ago

Anders

45.7k21127153

answered 4 hours ago

Anders

45.7k21127153

answered 4 hours ago

Anders

45.7k21127153

45.7k21127153

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195252%2fis-brute-force-a-probable-threat-even-if-you-enable-captcha-and-rate-limit-login%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email