Brute Force Attack Prevention Mistake 1: Too Much Information (TMI)
Before you can begin developing your brute force prevention system you must first make sure that your authentication system isn’t working against you. Many authentication systems give too much information (TMI) when responding to an invalid login attempt. For example, let say a user enters in the following credentials.
Username: john.doe
Password: bl@hbl@h
Your authentication system searches the user table for a user with a username equal to “john.doe” so that you can retrieve the password hash for comparison. Your system quickly discovers that this username does not exist in the system so you give back a response like “Invalid Username” or “Username Does Not Exist”. This is a good example of giving too much information (TMI). Why would this be TMI?
The goal of brute force is to figure out a valid username and password. This means that that one must first have a valid username before making attempts at the password. If your authentication system responds back “Invalid Username” or “User Name Does Not Exist” then the person/script/tool performing the brute force knows to try another username. So then they try another username and receive the same response. They try one more username and then they receive the response “Invalid Password” (TMI once again). The new response tells them that they have successfully found a valid username so they can move on to brute forcing the password. Your authentication system has given the user too much information and now you have helped them potentially brute force one of your user’s credentials.
Solution: Keep it Simple (KIS)! Your authentication system should respond to every invalid login attempt with the same response. Your response should not communicate specifics. The goal of the response is to inform the user that the username and password they provided was not valid and to try again. By using the same response for ALL invalid login attempts, you are telling the user to try again without helping Mr. Malicious brute force your user’s credentials. Some good example responses are below:
- Invalid Username or Password
- Username and Password do not match
- Invalid Credentials. Please try again.
I think you mean TOO much information
Die grammar nazi!
Now now boys no fighting.
Nice catch! I changed it so all is well.
If you want to find a valid username, you could typically try the signup form.