Brute Force Attack Prevention Mistake 1: Too Much Information (TMI)

Posted April 5, 2007
Filed under: TechTalk |

Before you can begin developing your brute force prevention system you must first make sure that your authentication system isn’t working against you. Many authentication systems give too much information (TMI) when responding to an invalid login attempt. For example, let say a user enters in the following credentials.

Username: john.doe

Password: bl@hbl@h

Your authentication system searches the user table for a user with a username equal to “john.doe” so that you can retrieve the password hash for comparison. Your system quickly discovers that this username does not exist in the system so you give back a response like “Invalid Username” or “Username Does Not Exist”. This is a good example of giving too much information (TMI). Why would this be TMI?

The goal of brute force is to figure out a valid username and password. This means that that one must first have a valid username before making attempts at the password. If your authentication system responds back “Invalid Username” or “User Name Does Not Exist” then the person/script/tool performing the brute force knows to try another username. So then they try another username and receive the same response. They try one more username and then they receive the response “Invalid Password” (TMI once again). The new response tells them that they have successfully found a valid username so they can move on to brute forcing the password. Your authentication system has given the user too much information and now you have helped them potentially brute force one of your user’s credentials.

Solution: Keep it Simple (KIS)! Your authentication system should respond to every invalid login attempt with the same response. Your response should not communicate specifics. The goal of the response is to inform the user that the username and password they provided was not valid and to try again. By using the same response for ALL invalid login attempts, you are telling the user to try again without helping Mr. Malicious brute force your user’s credentials. Some good example responses are below:

  • Invalid Username or Password
  • Username and Password do not match
  • Invalid Credentials. Please try again.

5 Comments so far

  1. bofe on April 6, 2007

    I think you mean TOO much information

  2. JohnO on April 6, 2007

    Die grammar nazi!

  3. inkie78 on April 6, 2007

    Now now boys no fighting.

  4. dmac on April 6, 2007

    Nice catch! I changed it so all is well.

  5. tim on April 17, 2007

    If you want to find a valid username, you could typically try the signup form.

Leave a reply