Tackle it? As what? A site owner? A pen-tester? A black hat? A criminal?
> how much dangerous it can be
Very dangerous for sites with poor practices. Near zero dangerous for those with good practices.
What's your experience with Penetration Testing and Security Auditing? Sounds like you're just starting out. It's a well established industry filled with knowledgeable and enthusiastic people happy to share their knowledge.
Best start with some archives of DefCon talks and go from there.
Brute force attack just means an attack that isn't smart and instead relies on just trying a lot.
For instance, if you have a padlock with 3 dials on it, I can just try 000 through 999 and at some point I will find the correct solution. A smarter attack could be to try and watch you close the padlock. A more efficient brute force attack could be to try popular combinations first (e.g. 000, 123, 987).
Your question is not very specific as it doesn't contain the context of the attack, are we talking about cracking a user's password? Usually a simple first mitigation for bruteforce attacks is to limit the user's attempts (e.g. if you get your password wrong 3 times, you are locked out for 10 minutes). Another good practice is to make sure people's passwords are at the very least 8 characters long, then trying every attempt becomes quite difficult just because of the amount of possibilities.
Brute force is a technique associated with passwords. In the past, hackers would go through every single combination of passwords until they unlock your app/computer/account. This is why Bill Burr, the NIST manager who required passwords to have special characters later apologized saying the only thing that makes passwords safer was longer passwords not the password hell he put everyone through.
7 comments
[ 3.3 ms ] story [ 22.8 ms ] threadTackle it? As what? A site owner? A pen-tester? A black hat? A criminal?
> how much dangerous it can be
Very dangerous for sites with poor practices. Near zero dangerous for those with good practices.
What's your experience with Penetration Testing and Security Auditing? Sounds like you're just starting out. It's a well established industry filled with knowledgeable and enthusiastic people happy to share their knowledge.
Best start with some archives of DefCon talks and go from there.
For instance, if you have a padlock with 3 dials on it, I can just try 000 through 999 and at some point I will find the correct solution. A smarter attack could be to try and watch you close the padlock. A more efficient brute force attack could be to try popular combinations first (e.g. 000, 123, 987).
Your question is not very specific as it doesn't contain the context of the attack, are we talking about cracking a user's password? Usually a simple first mitigation for bruteforce attacks is to limit the user's attempts (e.g. if you get your password wrong 3 times, you are locked out for 10 minutes). Another good practice is to make sure people's passwords are at the very least 8 characters long, then trying every attempt becomes quite difficult just because of the amount of possibilities.
https://www.engadget.com/2017-08-08-nist-new-password-guidel...