In theory, an attacker will always be able to guess your password through a brute-force attack, but the problem for them is that it could take hundreds of years to do it. There could be millions of possible combinations if your password is long and complex enough. However, attackers use sophisticated scripts that will often find passwords in a matter of days using techniques such as dictionary attacks.
Locking out user accounts
A common defence against brute-force attackers is to limit the number of failed login attempts that can be made and then lock out the users account. The idea is that the attacker will only be able to guess a small number of times before the account is locked and the attack will stop. There are however, a number of problems with this approach:
- An attacker can easily cause a denial of service (DoS) by locking out large numbers of accounts.
- It is highly disruptive for the user who has to reset their password or even worse contact an administrator to get their account unlocked.
- The administrator of the site will have to deal with unhappy users whose accounts have been locked out.
- A strong attack effectively disables an account because even after an account is unlocked it will likely be locked again seconds later.
The downsides of this approach have led to the development of the ‘trusted devices’ system in use by many sites today.
What are trusted devices?
When a genuine user makes a successful login to their account, the device that they used is remembered and treated as trusted. The device is linked to their account only so it wont help if they try to login using a different username.
The main benefit of this approach is that a different strategy can be used for genuine users with trusted devices, and another strategy for untrusted devices. For example, strong counter-measures can be implemented against untrusted devices making multiple failed login attempts without impacting the experience of real users.
- A genuine user if offered assistance (rather than locking their account) if they forget their password and make repeated failed attempts to log in.
- The user can be notified if someone logs in to their account using a new device. This alerts the user if their account has been compromised. The user can be directed to change their password in such a case.
- Strong counter-measures can be taken against attackers without disrupting genuine users using their trusted devices.
Many social media sites employ this approach because it is not feasible or desirable to lock out large numbers of users accounts.
What about temporary lockouts?
Permanent account lockouts are not a preferable solution, but temporary lockouts of relatively short duration (against untrusted devices) can slow down attacks to the point where they become unviable.
A temporary lockout of untrusted devices is thus a good solution.
How to implement trusted devices functionality on your site
GuardGiant offers a free plugin for WordPress sites that can be found here