Premium Member Database last update: Saturday, October 22, 2016 22:02:58 GMT-0700

Website Security - Preventing Brute Force Attacks

Establishing and implementing a strong credential policy will go a long way in preventing brute force attacks against your website or network. Regardless of the method used to get content and other data onto your website, users should be required to provide a username and password to login. When it comes to preventing brute force attacks there is an equation you need to remember.

Easily guessable username + easily guessable password = hacked website.

What does easily guessable really mean?

The term easily guessable used to mean the use of human guessable credentials. If you are married, using your name as your username and your spouse's name as your password results in human guessable credentials. You can resolve this problem by at least selecting a harder to guess password. But notice our equation does not mention humans.

Humans have a detriment computers do not. The detriment is time. A human entering username, password combinations can only enter a small number of credentials per minute. It could take them an entire lifetime to guess a simple username/password combination. A fast human might be able to attempt 20 brute force attempts per minute. Even with very minimal security requirements it is hardly of concern. Computers do not have the same limitation.

Elcomsoft has patented a process enabling a computer's main CPU to try 2.8 billion different password combinations per second.

It would take a human 16,204 years of non-stop typing to try as many combinations as a computer could do in one second. It looks like an easily guessable password takes on a new meaning.

Machines designed with the sole purpose of password cracking can test of 90 billion keys per second.

Without getting too technical password strength is improved with the use of broader character sets and more characters in the password. Security experts advise a minimum password length of 12 characters. But we recommend establishing higher standards. For website administrator access two credentials are generally required: username and password. Establishing hefty minimum requirements increases the time necessary to brute force your site./

What we recommend


Username: random uppercase AND lowercase letters

Password: a broad combination of random uppercase characters, lowercase characters, numbers, punctuation and special characters (~`@#$%^&*()_-+{}:”;’<>/).


Username: 13 characters

Password: 17 characters

What about encryption?

Use the highest level of encryption your web server can handle. One of the most popular and widely used encryption algorithms is MD5. But MD5 has been found to be vulnerable to collision attacks and is not considered secure. It has been replaced by the SHA-2 family of hash functions. We will deal with encryption in a later article.

Abiding by the above reintroduces the detriment of time. When it comes to brute force attacks you need time working in your favor. Implementing stringent username and password policies will give you time to recognize an attack and respond to an attack.

Failure to implement these policies will also require time. If a brute force attack against your website is ever successful you may need much more time to recover from the devastation to your finances, reputation and freedom.