Skip to content

Latest commit

 

History

History
143 lines (88 loc) · 2.72 KB

brute-force-protection.md

File metadata and controls

143 lines (88 loc) · 2.72 KB

Brute-force protection means protecting your system from attackers who try to guess passwords or login credentials by trying many combinations very quickly.

Let’s break it down properly.

🔐 What is a brute-force attack?

A brute-force attack is when an attacker repeatedly tries many username–password combinations until one works.

Example:

Try 1 → password123
Try 2 → Pass@2023
Try 3 → admin123
Try 4 → 000000
Try 5 → 111111
...
Try 100,000 → eventually one succeeds

Attackers often use automated tools that can attempt thousands of logins per second.

🚨 Why brute-force protection is needed

If your login API is open on the internet and you have no protection, an attacker can:

  • Break into accounts
  • Lock users out
  • Overload your server (DDoS-like load)
  • Guess admin passwords
  • Steal sensitive data

This is one of the most common attacks on any system.

🛡️ What is brute-force protection?

It is a set of techniques that prevent attackers from making unlimited login attempts.

Common protections include:

1. Rate Limiting

Limit how many login attempts per second/minute are allowed.

Example:

  • Max 5 requests per minute per IP
  • After that → block or slow down

Tools support this:

  • API Gateway
  • NGINX rate limiting
  • Cloudflare WAF
  • Spring Boot filters

2. Account Lockout

If a user enters the wrong password too many times:

  • Lock the account for 5–10 minutes
  • Or send OTP to unlock
  • Or require CAPTCHA

Example:

5 failed attempts → temporary lock

3. IP Blocking / Geo Blocking

If an IP is trying thousands of logins → blacklist it.

Can block:

  • suspicious countries
  • tor networks
  • known bot networks

4. CAPTCHA (Google reCAPTCHA v2/v3)

After multiple failed attempts, show a CAPTCHA to verify the user is human.

Prevents bots from automation.

5. Progressive Delays (Throttling)

Add delay after each failed attempt:

Attempt 1 → no delay
Attempt 2 → 0.5 sec delay
Attempt 3 → 1 sec delay
Attempt 4 → 2 sec delay
Attempt 5 → 4 sec delay

Slows down brute-force completely.

6. Two-Factor Authentication (2FA)

Even if attacker guesses password → still needs OTP.

Placeholder: Without brute-force protection, login API becomes easily breakable.

Attackers can hack:

  • Gmail
  • Bank apps
  • Payment apps
  • Social media
  • Admin dashboards

That’s why every secure system always implements brute-force protection.

💬 Short, simple definition

Brute-force protection prevents attackers from trying unlimited password attempts by blocking, delaying, or challenging excessive login attempts.