Preventing Brute Force login attempts

21 May 2019

Tim Nash

Customers on our Managed WordPress Hosting often get in touch with us to say, “My security plugin is reporting thousands of unsuccessful login attempts, should I be worried?”

The answer is; not really, as long as you have a good passphrase or use a password manager, and have two-factor authentication enabled (we have talked about setting up Two-Factor authentication in a previous article).

Really there is only one metric we care about… how many successful login attempts have there been?

So why do security plugins tell you about the number of unsuccessful login attempts? In short, to scare you into keeping the plugin installed! A less cynical view is for the plugin to demonstrate how effective it is being. In most cases, this counter is not so much the work the plugin has done, rather a simple growing tally of the number of failed logins over a given period.

How we block brute force logins

On our Managed WordPress Hosting we use a tool called fail2ban, which monitors our logs for failed logins. If a user fails to login, their IP address is recorded and after a certain number of attempts, we block access to the site and server for a short period of time.

What we tend to find is that the attacker uses one IP address, we block it, and then a few minutes later they simply use another and carry on. It’s like a never-ending game of whack-a-mole.

Consequently, we advise having a secure passphrase and two-factor authentication, as with a good passphrase, the risk from such automated brute force attacks is reduced to nearly zero.

Why do we block these attempts if attackers are just going to swap IP addresses? That’s a reasonable question and our primary reason for blocking the IPs is to reduce server load, as well as to provide some disruption to the attackers’ activities. There is a level where some smaller operators will run out of IP addresses and these operators often misconfigure their attacks to quickly so hammer the server, meaning they take up resources and it’s these attacks we are looking to stop quickly.

Choosing a good password

So what makes a good password? It’s simple: Length

The longer the password, the better the password. There are some nuances to this but regardless of the character set, choosing a password of 16 characters or more will require exponentially more computing power and attempts to break then a password of just 8 characters.

NIST, a US government department that generates standards, updated their guidelines recently to say that passwords that you are going to remember should be easy to remember but hard to guess. This is a change as historically guidelines have been all about making passwords complex with the use of special characters, numbers, capitalisation etc. While these passwords may look complicated, computers don’t really care. Increasing the character choice from 52 to 92 characters, whilst a huge jump for humans, for computers that don’t eat, sleep and happily make thousands of computations a second will only slightly slow them down.

What this means is fewer passwords like T3%dF5*1 and more along the lines of pensionmountaingreenabuse, which could also be called a passphrase.

A passphrase is 4 or more random words which are randomly generated – humans are terrible at randomness so don’t try picking them yourself! The goal is to create a password that has enough length without making it too difficult for you to remember. There is nothing wrong with adding special characters and numbers to such passphrases and this will in turn also increase the password entropy making them stronger still.

Passphrases provide a strong basis for securing a site, just remember to keep them random and set a different passphrase for every login you use.

The reality is that you may be able to remember 5-10 passphrases but after that, remembering a new one for every single site you use will prove difficult. This makes a password manager the ideal solution.

Password Managers

Password managers are something the information security industry love to talk about. At their heart, they are a database of stored passwords and a way to generate passwords. When you need a password for a new site, you tell your password manager to generate one for you and the password manager saves it in its database.

When you visit the site, you fire up the password manager and it fills in the password for you.

The result is that you have long, complicated passwords, autogenerated for you, and you don’t need to remember them; you just use your password manager.

Why do some people not like password managers?

For some, password managers break a paradigm. A password is something you know, and in theory, only you know; it’s secret knowledge. A password manager is something you own and so it’s not secret knowledge and again in theory, someone with access to your device now has access to any site for which the password manager holds the password.

This can be mitigated and argued against as both the password manager and hopefully your devices are secured, needing passwords or passphrases of their own to access.

The second argument is that by adding software into the flow, you are opening new attack surfaces, ie. someone hacking the password manager itself. This could happen, but of course most password managers have taken steps to limit this, by storing data in ways that the attacker would still need access to your devices to decrypt the data, or have access to a very large amount of processing power and time to break the encryption.

The most common password managers are services like OnePassword, LastPass, DashLane etc. These are simple to set up and each comes with its own benefits. For those not wanting to use a third party service there are self-hosted options like KeePass and Bitwarden. These take more time to setup and do require ongoing maintenance to run, but keep you in control of the data.

So which should you use?

Passphrases or password managers, it’s ultimately your choice. For myself, I use passphrases for what I consider mission-critical services (like my primary email) and then a password manager (Keepass currently) for all my other passwords.

But the choice is yours, the important thing is to be comfortable with the choice. If in doubt, try one of the password services – most have free trials.

Should you be concerned about brute force logins? Not really, so long as:

  • You are on good hosting – Managed WordPress Hosting ✔️
  • You use a long passphrase or password manager – Passphrase/KeePass/OnePassword ✔️
  • You use two-factor authentication – Google Authenticator and two-factor plugin ✔️

It is worth remembering that for many sites it’s not just “you”; every administrator should have a passphrase or password manager and two-factor authentication enabled. Education is important, so once you have sorted yourself out, make sure your colleagues are also following best practices, too.

With that, you can stop worrying about the number of failed login attempts that your security plugin tells you about every time you log in!