The primary defense against a brute force attack must be enforcement of a strong
password policy. As mentioned earlier, dictionary words make poor passwords. Password
size is also important: the longer the password, the more difficult it will be to force.
While there is no strict definition of a strong password that will be harder to determine
via a dictionary attack, some good guidelines would be:
- Minimum length of at least seven characters
- Must include both upper and lower case characters
- Must include numeric characters
- Must include punctuation
These guidelines may seem overly strict, but there is little chance that a password created
with these restrictions will be found with a brute force attack. There are almost 70 trillion
combinations of characters that can be seven digits long and can include upper case
characters, lower case characters, numbers, and punctuation. Even a dictionary attack tool
that could make one hundred requests per second would still take over 11,000 years
before it would be statistically likely to guess the password.
Obviously, most Web sites will want to block a dictionary attack much sooner than
11,000 years into the attack. Many organizations use an intrusion detection system (IDS)
to detect an abnormally high number of requests coming from a single user. This is a
good idea, but it is not sufficient to prevent the brute force attack. A clever hacker will
simply reduce the bandwidth used by his automated tool until it falls under the alert
threshold of the IDS.