How to prevent brute force webmail attacks

Expert Sherri Davidoff explains why brute-force attacks on webmail accounts are such a popular hacking technique.

Why is the brute-force of webmail accounts a popular hacking technique? How is it done, and what can be done to prevent it on an enterprise level?

Great question. Brute forcing Web-based email accounts is popular because it's so easy. There are a number of publicly available brute-force password-guessing tools, which require minimal skill to use, including ones like "Brutus." You give Brutus a list of words (a "dictionary") to use as usernames or passwords, and it will try every possible combination until one works. Some tools will also try permutations on each password (i.e. "fluffy8", "fluffy9", etc.). The program is simple enough that a teenager could use it to point, click and break, or brute force, into webmail accounts.

The good news is that there are effective ways to foil enterprise Web-based email attacks. Probably the most straightforward...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

strategy is to use two-factor authentication. It is often said that there are three forms of authentication:

Something you have (i.e. a debit card)
Something you know (i.e. a password)
Something you are (i.e. your fingerprint)

Password-protected Web email is an example of single-factor authentication (something you know). Since passwords are often remotely guessed or stolen, this is a fairly low-security method for restricting access.

For Web-based email, I recommend using at least two-factor authentication, such as RSA Security Inc.'s hardware SecurID token. These tokens fit in the palm of your hand, and they display a different password for every login. The password is never repeated, and the odds of guessing it at the right time are extremely small. The user generally also types in a personal PIN, combining the hardware token (something you have) with the PIN (something you know). There are also many other ways to implement two-factor authentication, such as software-based authenticators or cell phone-based systems.

You can also reduce the risk of brute-force webmail attacks by limiting login attempts (i.e. three failed logins in one minute results in a 15-minute lockout). This dramatically limits an attacker's number of guesses. Make sure you have a strong password policy so passwords are difficult to guess, and test accounts regularly. Finally, if you have a password reset system, ensure the answers to questions are not easily attainable from public records or social networking sites.

This was last published in July 2009

Dig Deeper on Email and Messaging Threats-Information Security Threats

SearchCloudSecurity

What’s the difference between a password and a PIN?

reverse brute-force attack

WPA3

brute force attack

Please create a username to comment.

Defining and evaluating SOC as a service

Get to know the elements of Secure Access Service Edge

Boost security with a multi-cloud workload placement process

CloudGenix-Palo Alto buy combines SD-WAN with cloud security

A deep dive into the differences between 5G and Wi-Fi 6

Maintaining network infrastructure in a pandemic and beyond

C-suite executives offer advice on working remotely during pandemic

How IT can build an agile business partnership

Former Cisco CEO offers C-suite leadership tips in time of crisis

How to evaluate on-premises vs. cloud-based MDM, UEM

How CMT, MDM and EMM merged into UEM software

How to enable and troubleshoot fast startup in Windows 10

Explore the pros and cons of cloud computing

How to protect and manage Azure Pipelines secrets with Key Vault

7 Google Cloud database options to free up your IT team

Coronavirus: The role of AI in the ‘war’ against epidemics and pandemics

Coronavirus: Magecart attacks on online retailers jump 20%

What the Court of Appeal referrals mean to those who campaigned for justice for subpostmasters

Dig Deeper on Email and Messaging Threats-Information Security Threats

What’s the difference between a password and a PIN?

reverse brute-force attack

WPA3

brute force attack

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.