Brute Force Attacks
1. Definition
Brute Force is an attack method where an attacker systematically checks all possible passwords or phrases until the correct one is found. In the context of web applications, it typically refers to “Online Brute Force” against a login endpoint.
It is distinct from Credential Stuffing (which uses leaked pairs) and Dictionary Attacks (which use common wordlists), though “Brute Force” is often used as an umbrella term for any guessing attack.
2. Technical Explanation
Authentication systems verify identity by comparing a hash of the input password with a stored hash.
- Online Attack: The attacker sends HTTP requests to
/login. Speed is limited by network latency and server response time. - Reverse Brute Force: Instead of guessing one user’s password, the attacker guesses a common password (e.g., “password123”) against millions of usernames (Password Spraying).
3. Attack Flow (Password Spraying)
sequenceDiagram
participant Bot
participant Auth as Auth Server
participant DB as User DB
Bot->>Auth: 1. Login user: "alice", pass: "Winter2025!"
Auth-->>Bot: 401 Unauthorized
Bot->>Auth: 2. Login user: "bob", pass: "Winter2025!"
Auth-->>Bot: 401 Unauthorized
Bot->>Auth: 3. Login user: "charlie", pass: "Winter2025!"
Auth->>DB: Verify Hash... Match!
Auth-->>Bot: 200 OK (Session Token)
Note right of Bot: Account Compromised<br/>Avoids "Account Lockout" logic<br/>because user changes every time.4. Real-World Case Study: The “iCloud Celebrity Leak” (2014)
Target: Apple iCloud “Find My iPhone” API. Vulnerability Class: Unrestricted Brute Force (Rate Limiting Failure).
The Attack: While commonly associated with phishing, the initial vector for many accounts was a brute force attack against the Find My iPhone (iBrute) API. Unlike the main iCloud login, this specific API endpoint did not enforce account lockouts or rate limiting. Attackers used a script (iBrute) to try thousands of common passwords against the email addresses of celebrities. Once a password matched, they gained access to the full iCloud backup (photos, contacts).
Impact: Massive privacy breach for hundreds of individuals. Apple subsequently implemented strict 2FA and rate limiting across all APIs.
5. Detailed Defense Strategies
A. Exponential Backoff & Rate Limiting
Do not just block IPs (attacker proxies rotate IPs).
- Account Lockout: Lock the account after 5 failed attempts. (Risk: Denial of Service for the user).
- Exponential Backoff: Delay the response time after each failure.
- Fail 1: 0s delay
- Fail 2: 2s delay
- Fail 3: 10s delay
- Throttling: Use algorithms like “Token Bucket” to limit attempts per user and per IP.
B. Multi-Factor Authentication (MFA)
MFA renders brute force useless. Even if the attacker guesses the password, they cannot provide the OTP (One-Time Password) or hardware key.
- Enforcement: Mandate MFA for all users, or at least for admin accounts.
C. CAPTCHA / Proof of Work
Require a human challenge after a threshold of failed attempts.
- Tools: Cloudflare Turnstile, Google reCAPTCHA v3 (invisible).
- This makes automated attacks computationally expensive or technically difficult.
D. Leak Detection
Monitor for “Password Spraying” patterns (many failures from one IP against many users). Alert users if a login comes from a new device/location.