That's a great follow-up question! Preventing brute-force attacks is a critical part of modern web security. Since these attacks rely on "trying every possible key," the goal of prevention is to make that process either impossible or too time-consuming to be practical.
Here are the most common ways systems defend themselves:
1. Account Lockout Policies
This is the most direct defense. After a specific number of failed attempts (e.g., 5 wrong passwords), the system automatically locks the account for a period (e.g., 30 minutes) or until an administrator unlocks it. This makes automated tools useless because they can no longer "guess."
2. Rate Limiting and Throttling
Instead of locking the account completely, the system might slow down the login process. For every failed attempt, the server introduces a delay (e.g., 2 seconds, then 4, then 10). This prevents a tool like Hydra from trying thousands of passwords per second.
3. Multi-Factor Authentication (MFA/2FA)
Even if an attacker successfully guesses the password, MFA requires a second "factor"—like a code sent to your phone or an app. Since the attacker doesn't have your physical device, the brute-force attack fails at the final step.
4. CAPTCHAs
CAPTCHAs (those "I am not a robot" checkboxes or image puzzles) are designed to distinguish humans from machines. Automated scripts usually cannot solve them easily, which blocks the "automation" part of the attack.
5. Enforcing Strong Password Policies
By requiring passwords to be long and complex (using symbols, numbers, and mixed case), the number of possible combinations becomes so high that it would take a computer centuries to guess them.
6. Progressive Back-off
The system gets "harder" to log into as more failed attempts occur. For example, it might start requiring a CAPTCHA only after the second failed attempt.
In this lab, you'll see how easy it is to crack a password when none of these protections are in place! Ready to try using Hydra to automate the attack?
