Brute Force Protection
A set of defense mechanisms that detect and block automated high-volume authentication attempts aimed at guessing credentials through exhaustive trial.
Description
Brute force protection encompasses multiple defensive layers designed to detect and mitigate automated attacks that attempt to guess valid credentials through systematic trial. These attacks include simple brute force (trying all possible combinations), dictionary attacks (trying common passwords), credential stuffing (using breached username/password pairs from other services), and password spraying (trying a few common passwords across many accounts to avoid lockout thresholds).
Effective protection requires a layered approach that combines multiple mechanisms: per-account rate limiting (progressive delays and lockout), per-IP rate limiting (blocking IPs with excessive failed attempts across any account), global rate limiting (capping total authentication requests per time window), CAPTCHA challenges (triggered after initial failures), device fingerprinting (flagging requests from known attack tools), and geographic anomaly detection (flagging login attempts from unusual locations). No single mechanism is sufficient -- credential stuffing can use millions of unique IP addresses, and password spraying specifically targets per-account limits.
Implementation typically uses Redis or a similar in-memory store for real-time tracking of attempt patterns. Key metrics to track include failed attempts per account, failed attempts per IP, failed attempts per IP subnet (/24), and the ratio of failed to successful authentications globally. Integrate with threat intelligence feeds (IP reputation databases, Tor exit node lists, known botnet IPs) to proactively block suspicious sources. Use WAF rules to detect and block automated tools based on request patterns, headers, and TLS fingerprinting. Monitor for distributed attacks where each IP makes only a few attempts but the aggregate pattern indicates credential stuffing.
Prompt Snippet
Implement multi-layer brute force protection using Redis. Track three dimensions: per-account failures (auth:account:{id}:fails), per-IP failures (auth:ip:{ip}:fails), and per-subnet failures (auth:subnet:{/24}:fails) using INCR with 15-minute TTL. Apply progressive responses: after 3 account failures, require CAPTCHA (integrate hCaptcha or Turnstile); after 5, apply 30-second delay; after 10, lock for 15 minutes. Block IPs with >20 failures across any accounts for 1 hour. Integrate with an IP reputation service to pre-block known malicious sources. Log all blocked attempts to a security events stream for SIEM ingestion.Tags
Related Terms
Account Lockout Policy
A security policy that temporarily or permanently disables an account after a defined number of consecutive failed authentication attempts to prevent brute-force attacks.
Rate-Limited Login Attempts
Restricting the number of authentication attempts a client can make within a time window to slow down automated attacks while preserving access for legitimate users.
Password Hashing (bcrypt/argon2)
The practice of transforming passwords into irreversible hashes using intentionally slow, memory-hard algorithms to protect credentials at rest.
Multi-Factor Authentication (MFA)
An authentication method requiring users to provide two or more verification factors from different categories (knowledge, possession, inherence) to gain access.
Audit Logging for Auth Events
Comprehensive, tamper-evident logging of all authentication and authorization events to support security monitoring, incident investigation, and compliance requirements.