UKJester's "Brute Force Attacks" Rant

What are you ranting about?

A Brute Force Attack is where someone, using an automated process, repeatedly tries to login to a restricted part of your website by trying passwords from a list of common passwords or even from an entire dictionary. They try one password. If it fails, they try another password. They can try thousands and thousands of passwords each second and, unless the password is very strong, they will eventually guess correctly and your site is at their mercy.

Fortunately, there are ways to help defend against brute force attacks. Unfortunately, there are pitfalls to almost all of them but by combining techniques we can put up a good fight against the attackers.

What options do I have?

Let's assume the attacker is targeting your login form that requires a username and a password. Let's also assume the attacker already guessed one of your usernames because you were silly enough to use 'admin'. All the attacker has to do is guess the password.