Is brute force a probable threat even if you enable CAPTCHA and rate limit logins?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.



Is brute force still a probable threat?










share|improve this question



























    up vote
    1
    down vote

    favorite












    Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.



    Is brute force still a probable threat?










    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.



      Is brute force still a probable threat?










      share|improve this question















      Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system.



      Is brute force still a probable threat?







      authentication brute-force captcha






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 4 hours ago









      Anders

      45.7k21127153




      45.7k21127153










      asked 4 hours ago









      Sayan

      1,246416




      1,246416




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          2
          down vote













          Maybe.



          it depends on how you define "brute force".



          A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.



          There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.



          User: Jim
          PW: password, password123, letmein, secret

          User: Bob
          PW: password, password123, letmein, secret

          User: Alice
          PW: password, password123, letmein, secret


          This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.



          I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.






          share|improve this answer





























            up vote
            1
            down vote













            The protections you describe are good ones that you should consider, but there can still be weaknesses:



            • Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).

            • Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


            • Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.





            share|improve this answer




















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "162"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195252%2fis-brute-force-a-probable-threat-even-if-you-enable-captcha-and-rate-limit-login%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              2
              down vote













              Maybe.



              it depends on how you define "brute force".



              A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.



              There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.



              User: Jim
              PW: password, password123, letmein, secret

              User: Bob
              PW: password, password123, letmein, secret

              User: Alice
              PW: password, password123, letmein, secret


              This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.



              I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.






              share|improve this answer


























                up vote
                2
                down vote













                Maybe.



                it depends on how you define "brute force".



                A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.



                There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.



                User: Jim
                PW: password, password123, letmein, secret

                User: Bob
                PW: password, password123, letmein, secret

                User: Alice
                PW: password, password123, letmein, secret


                This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.



                I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.






                share|improve this answer
























                  up vote
                  2
                  down vote










                  up vote
                  2
                  down vote









                  Maybe.



                  it depends on how you define "brute force".



                  A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.



                  There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.



                  User: Jim
                  PW: password, password123, letmein, secret

                  User: Bob
                  PW: password, password123, letmein, secret

                  User: Alice
                  PW: password, password123, letmein, secret


                  This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.



                  I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.






                  share|improve this answer














                  Maybe.



                  it depends on how you define "brute force".



                  A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.



                  There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.



                  User: Jim
                  PW: password, password123, letmein, secret

                  User: Bob
                  PW: password, password123, letmein, secret

                  User: Alice
                  PW: password, password123, letmein, secret


                  This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.



                  I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 3 mins ago









                  Anders

                  45.7k21127153




                  45.7k21127153










                  answered 3 hours ago









                  Daisetsu

                  1,643412




                  1,643412






















                      up vote
                      1
                      down vote













                      The protections you describe are good ones that you should consider, but there can still be weaknesses:



                      • Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).

                      • Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


                      • Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.





                      share|improve this answer
























                        up vote
                        1
                        down vote













                        The protections you describe are good ones that you should consider, but there can still be weaknesses:



                        • Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).

                        • Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


                        • Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.





                        share|improve this answer






















                          up vote
                          1
                          down vote










                          up vote
                          1
                          down vote









                          The protections you describe are good ones that you should consider, but there can still be weaknesses:



                          • Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).

                          • Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


                          • Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.





                          share|improve this answer












                          The protections you describe are good ones that you should consider, but there can still be weaknesses:



                          • Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).

                          • Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.


                          • Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.






                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 4 hours ago









                          Anders

                          45.7k21127153




                          45.7k21127153



























                               

                              draft saved


                              draft discarded















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195252%2fis-brute-force-a-probable-threat-even-if-you-enable-captcha-and-rate-limit-login%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Comments

                              Popular posts from this blog

                              What does second last employer means? [closed]

                              Installing NextGIS Connect into QGIS 3?

                              One-line joke