How to prevent brute force webmail attacks

How to prevent brute force webmail attacks

Why is the brute-force of webmail accounts a popular hacking technique? How is it done, and what can be done to prevent it on an enterprise level?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Great question. Brute forcing Web-based email accounts is popular because it's so easy. There are a number of publicly available brute-force password-guessing tools, which require minimal skill to use, including ones like "Brutus." You give Brutus a list of words (a "dictionary") to use as usernames or passwords, and it will try every possible combination until one works. Some tools will also try permutations on each password (i.e. "fluffy8", "fluffy9", etc.). The program is simple enough that a teenager could use it to point, click and break, or brute force, into webmail accounts.

The good news is that there are effective ways to foil enterprise Web-based email attacks. Probably the most straightforward strategy is to use two-factor authentication. It is often said that there are three forms of authentication:

  1. Something you have (i.e. a debit card)
  2. Something you know (i.e. a password)
  3. Something you are (i.e. your fingerprint)

Password-protected Web email is an example of single-factor authentication (something you know). Since passwords are often remotely guessed or stolen, this is a fairly low-security method for restricting access.

For Web-based email, I recommend using at least two-factor authentication, such as RSA Security Inc.'s hardware SecurID token. These tokens fit in the palm of your hand, and they display a different password for every login. The password is never repeated, and the odds of guessing it at the right time are extremely small. The user generally also types in a personal PIN, combining the hardware token (something you have) with the PIN (something you know). There are also many other ways to implement two-factor authentication, such as software-based authenticators or cell phone-based systems.

You can also reduce the risk of brute-force webmail attacks by limiting login attempts (i.e. three failed logins in one minute results in a 15-minute lockout). This dramatically limits an attacker's number of guesses. Make sure you have a strong password policy so passwords are difficult to guess, and test accounts regularly. Finally, if you have a password reset system, ensure the answers to questions are not easily attainable from public records or social networking sites.

This was first published in July 2009