Rate Limiting and Account Lockout Defenses
Examine server-side and protocol-level defenses that make brute force attacks impractical in practice.
Online vs Offline Brute Force
Online brute force attacks authenticate against live systems over a network. Each attempt takes at least one round-trip (typically 50-500ms), limiting an attacker to a few thousand attempts per minute at best. This is vastly slower than offline hash cracking. Rate limiting and account lockout exploit this limitation to make online brute force practically impossible within any realistic time frame.
Account Lockout After N Failed Attempts
The simplest defence against online brute force is locking an account after a defined number of consecutive failed login attempts, typically 5 to 10. The account can be locked for a fixed duration (15 minutes) or until an administrator manually unlocks it. Lockout turns an online brute force attack from a password cracking exercise into an exhaustion attack against account availability.
All lessons in this course
- How Brute Force Attacks Work
- Dictionary Attacks and Rainbow Tables
- Why Cryptographic Key Length Matters
- Rate Limiting and Account Lockout Defenses