Solved

Login Brute Force Vulnerability issues

Posted on 2014-03-29
2
214 Views
Last Modified: 2014-04-19
We have a web portal which requires a login. We would like to secure the login from Brute Force Vulnerabilities. Our scanner is detecting the following issue. How can we fix this?

This vulnerability occurs when a malicious user succeeds to guess a valid username and password that will enable them to authenticate illicitly to a Web
application.
The username and password would be "guessed" based on a generated list that can come from two sources: a user-defined configuration, or an internal list
provided by the WAS module based on the most common usernames and passwords.
0
Comment
Question by:skyjumperdude
2 Comments
 
LVL 7

Accepted Solution

by:
Delete earned 500 total points
Comment Utility
You can either have the account lockout for a specified duration after 3 to 6 failed attempts which makes brute forcing a lot harder, or you can ask for additional information upon login (i.e. a secreate question, a pin, their zip code, etc).
0
 
LVL 32

Expert Comment

by:Big Monty
Comment Utility
i would do both if you're really concerned about security, lock the account after x amount of attempts, and also add something like captcha the end user has to enter in before the form is submitted.

of course, this can be a real pain in the butt to the end user to have to enter in captcha details every time they log in. it's something you'll have to weigh in on, security vs ease of use
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now