Take a second and answer this seemingly straightforward question – how many passwords do you have? Not so easy to explain, is it?

We live in a world where not being online is often the same as not being a functional part of society. So it doesn’t come as a surprise that the average business user must keep track of nearly 200 passwords. According to the 2017 report from LastPass, business users keep track of 191 passwords, on average. That’s a staggering number of 47,750 passwords in use by the average 250-employee company.

If you consider these numbers, it is only natural that people often use the same, weak, or variation of a weak password, over and over again for multiple accounts, unaware that such behavior inevitably leads to painfully successful hacking attacks. Approximately 81% of confirmed data breaches are due to weak or stolen passwords, reports claim.

In this article, we shall provide an in-depth explanation of how hackers attempt brute force attacks and how to easily prevent them.

What is a Brute Force Attack?

As the name implies, brute force attacks are far from subtle. The theory behind such an attack is that if you take an infinite number of attempts to guess a password, you are bound to be right eventually. Colloquially, we may say that this hacking method relates to the old saying that even a blind hen sometimes finds a grain of corn.

Any brute force attack aims to forcefully gain access to a user account by attempting to guess the username/email and password. Usually, the motive behind it is to use the breached account to execute a large-scale attack, steal sensitive data, shut down the system, or a combination of the three.

A brute force attack is probably the simplest and least sophisticated hacking method. Creating code that executes this type of attack doesn’t take much imagination or knowledge, and there are even widely available automated tools that submit several thousand password attempts per second.

How to Identify Brute Force Attacks

Brute force attacks are easy to identify. You can spot them by looking into your servers’ log files. The attack will leave a series of unsuccessful login attempts, as seen below:

Sep 21 20:10:10 host proftpd[25197]: yourserver (usersip[usersip]) - USER theusername (Login failed): Incorrect password.

Does Locking-Out Accounts Work?

Those more knowledgeable among you will say that locking out accounts after a certain number of incorrect password attempts is a good way of dealing with brute force attempts. Unfortunately, that alone is not sufficient.

Hackers can launch wide-scale brute force attempts by trying a single password on several thousand servers. As opposed to attempting many passwords on a single server, this method does not trigger the account lockout, and it cleverly bypasses this defensive mechanism.

Wordpress login box displaying failed attempts
Wordpress login box displaying failed attempts

Furthermore, if a server were under attack frequently, several hundred user accounts could be locked-out constantly, and your server would be easy prey for denial-of-service (DoS) attacks.

diagram of a brute for attacker using zombie accounts
diagram of a brute for attacker using zombie accounts

Does Blacklisting IPs Work?

Unfortunately, not always. Hackers use botnets that attack from varying IP addresses, thus making pinpointing the origins of attack impossible.

Does Using "LEET-speak" Help?

“Leetspeak” is an internet language that encodes any text by translating into ASCII characters. For some time, it was an effective way of adding another “security layer” to your password management, but hackers have caught on and started using dictionaries that substitute letters with common Leet characters. Same goes for other common encrypting methods, such as SHA-1.

leetspeak protection from hackers
leetspeak protection from hackers

Brute Force Attack Prevention

There are many methods of preventing brute force attacks. The most obvious is a strong password policy. Each web app or public server should enforce the use of strong passwords (i.e., for standard user accounts at least eight letters; numbers, uppercase and lowercase letters, and special characters required) and require frequent password changes. That should be common knowledge by now, but let’s go beyond that.

Let’s investigate additional, less obvious, ways of preventing brute force attacks.


Please note that, most probably, not all methods will be applicable to your use case. Some methods are intended to prevent SSH brute force attacks specifically.

Account Lockouts with a Twist

As stated above, implementing an account-lockout after several unsuccessful login attempts is ineffective as it makes your server easy prey for denial-of-service attacks. However, if performed with progressive delays, this method becomes much more effective.

Account lockouts with progressive delays lock an account only for a set amount of time after a designated number of unsuccessful login attempts. This means that automated brute force attack tools will not be as useful, while your admin will not have to deal with unlocking several hundred accounts every 10 minutes or so.

Make the Root User Inaccessible via SSH

SSH brute force attempts are often carried out on the root user of a server. Make sure to make the root user inaccessible via SSH by editing the sshd_config file. Set the ‘DenyUsers root’and ‘PermitRootLogin no’ options.

Modify the Default Port

Most automated SSH attacks are attempted on the default port 22, so running sshd on a different port could prove to be a useful way of dealing with brute force attacks. To switch to a non-standard port, edit the Port line in your sshd_configfile.


We are all pretty much used to seeing CAPTCHA all over the internet. Nobody likes trying to make sense of something that looks like it’s been scribbled by a two-year-old, but tools such as CAPTCHA render automated bots ineffective. That single requirement to enter a word or the number of cats on a generated image is highly effective against bots, even though hackers have started using optical character recognition tools to get past this safety mechanism.

Bear in mind that the use of tools such as CAPTCHA negatively impacts the user experience.

Allow Login Only from a Specified IP Address or Range

If you allow access only from a designated IP address or range, brute force attackers will need to work hard to overcome that obstacle and forcefully gain access. It is like placing a security perimeter around your most precious data, and everyone who doesn’t originate from the right IP address is not allowed access.

example of preventing a brute force attack
example of preventing a brute force attack

You can set this up by scoping a remote access port to a static IP address. If you don’t have a static IP address, you can configure a VPN instead. One downside is that this might not be appropriate for every use case.

Use 2-Factor Authentication (2FA)

Two-factor authentication is considered by many the first line of defense against brute force attacks. Implementing such a solution greatly reduces the risk of a potential data breach.

The great thing about 2FA is that password alone is not enough. Even if an attacker cracks the password, they would have to have access to your smartphone or email client. Very persistent attackers might try to overcome that obstacle, but most will turn around and search for an easier target.


Two-factor authentication is very effective against many types of attack, including keylogger attacks. Many security guidelines stipulate the use of 2FA (e.g., HIPAA and PCI) and government agencies, such as FBI, require it for off-site logins.

Unique Login URLs

Create unique login URLs for different user groups. This will not stop a brute force attack but introducing that additional variable will make things a little bit more difficult (think time-consuming) for the attacker.

Monitor Your Logs Actively

Be sure to analyze your log files diligently. Admins know that log files are essential for maintaining a system. Log management applications, such as Logwatch, can help you perform daily check-ups, and can auto-generate daily reports.

log analysis on a computer screen
log analysis on a computer screen

In Conclusion: Brute Force Attack Prevention

A skilled and persistent attacker will always find a way to eventually break-in, but implementing a combination of the methods outlined above will at least minimize the chances of you becoming a victim of a brute force attack. Brute force attackers like easy prey, and are most likely to turn around and search for another target if you throw a wrench in their works.