If you're not familiar with a brute force attack this is where every possible password combination is attempted for a password. Quite often this will try a dictionary of words and common passwords before then trying every character combination possible. Given enough time eventually the attacker will hit upon the correct password. Here is a very crude screenr example of a brute force attack using a dictionary on an Umbraco site. I chose an obscure dictionary word as my password, but if found it pretty quickly, after trying over 4000 dictionary words.
Here are several ways of mitigating the risk of this kind of attack:
- Always choose a secure p assword involving letters, numbers special characters at least 8 characters long ideally 12 or longer. If you think about the maths this makes sense, as a 8 character password using only lowercase alphabet characters has 26 to the power of 8 combinations (208,827,064,576), the same with 12 characters using any uppercase, lowercase, numeric and 10 special characters has 72 to the power of 12 combinations (19,408,409,961,765,342,806,016)
- Never use a dictionary word, as you can see above that narrows the possible options a huge amount, The Oxford English Dictionary has ~ 170,000 words.
- Enforce a password change policy, so that passwords need to be changed at least every month.
- Don't make the login for your site publically available, for example restrict it through the firewall to certain IP
- Lockout users after x failed attempts for at least several minutes.
My package addresses point number 5 from above, it inherits from Umbraco's user membership provider to add support for the maximum number of attempts and the window in which these can be attempted. By default it will silently fail all logins for user after they fail 5 logins for a 10 minute window after which they will be able to login normally.
Please install it and let me know if you find it useful, or you have any questions get in touch @steve_gibe. Next stop is to get this functionality into a pull request to update the Umbraco core.