20i.com Blog

Protecting your password from brute-force attacks

This is based on an email we sent to our customers.  It generated a lot of interest so we thought we’d expand on it here.

Stack Protect is a security tool from 20i that protects website passwords.

One of the most common and easy ways to compromise a website is to guess the password for login to its content management system (CMS). For example, /wp-admin for WordPress.

Malware will use trial-and-error to try to guess your password.

It might start by cycling through variants of the most common passwords. This is known as a ‘dictionary attack’: where the code cycles through all the words in a ‘password dictionary’, using common words and passwords that have been used already elsewhere.

Most common passwords word cloud.

It’s why it’s you should use a unique, secure password: one that is truly random. This makes them difficult to remember – unfortunately – but there are password managers that can help with this.

Then there is the traditional brute force attack, where the code tries every  character combination in sequence.

How Stack Protect protects your password

Stack Protect monitors requests to common login pages. When a request is made, it looks at a number of things:

  • Publicly blacklisted domains and IPs
  • Unusual geographic location (from the IP address)
  • Previous login attempts from that host
  • Number of login attempts, and how many websites they’ve tried to access
  • Failed logins and previous firewall rule breaking

If these criteria are matched, a Google reCAPTCHA splash page is presented:

This stops the brute force script in its tracks.

The splash page is served before any of the CMS’s code is executed. It takes place on on physically isolated servers, so that malware can’t access the core data for your site.

It happens very, very often. For example, in the first 3 weeks of August 2018, we had between 2.25 million and 5.5 million attempts – every day!

A chart showing the brute force attacks, aimed at guessing a password
Brute force login attempts, over 21 days

It’s just one of the ways that we help keep you secure.

Sadly, there are data breaches every day and no one can promise to keep you 100% secure. Even so, there are plenty of other ways that you can limit your exposure to harm from cybercriminals. We recommend using multi-factor authentication, physical security tokens and/or biometric methods (like fingerprints and retina scans) where possible.

Add comment

Sign up!

Richard Chambers

Richard is a Marketing Manager at 20i. He likes all things tech and is a master of none.

Visit the 20i main site