Login Brute Force Vulnerability issues

We have a web portal which requires a login. We would like to secure the login from Brute Force Vulnerabilities. Our scanner is detecting the following issue. How can we fix this?

This vulnerability occurs when a malicious user succeeds to guess a valid username and password that will enable them to authenticate illicitly to a Web
application.
The username and password would be "guessed" based on a generated list that can come from two sources: a user-defined configuration, or an internal list
provided by the WAS module based on the most common usernames and passwords.
LVL 1
skyjumperdudeAsked:
Who is Participating?
 
DeleteConnect With a Mentor Commented:
You can either have the account lockout for a specified duration after 3 to 6 failed attempts which makes brute forcing a lot harder, or you can ask for additional information upon login (i.e. a secreate question, a pin, their zip code, etc).
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
i would do both if you're really concerned about security, lock the account after x amount of attempts, and also add something like captcha the end user has to enter in before the form is submitted.

of course, this can be a real pain in the butt to the end user to have to enter in captcha details every time they log in. it's something you'll have to weigh in on, security vs ease of use
0
All Courses

From novice to tech pro — start learning today.