It is a password-guessing attack that does not aim to decrypt any information or data,the aim of a brute force attack is to gain access to user accounts by repeatedly trying a list of different combinations of passwords, Unlike hacks that focus on weakness in software, a Brute Force Attack aims at being the simplest kind of method to gain access to any web application: it keeps trying commonly used usernames and passwords again and again until it gains access to the account.
This is done automatically with a computer program,due to which the speed at which someone can brute-force the account increases and hardware becomes faster and is capable of doing more calculations per second. The brute-force attack start with one-digit passwords before it moves to two-digit passwords and so on, and it keeps trying all possible combinations until it works.
How to Prevent brute force attack:
The most common way to prevent brute-force attacks is to lock the accounts after a particular number of incorrect password attempts.The lock-out time increases with each subsequent failed attempt.Account can be locked for a specific time duration, such as one hour or more, or the accounts should be locked until unlocked by an administrator. However, account lockout is not the best solution, because someone can easily break the security and can lock multiple users account.Also some Web applications are unable to enforce a lockout policy because they constantly unlock customer accounts.
Locking out the account authentication from known and unknown browsers or devices can slow Online Passwords Guessing Attacks with Device and browsers Cookies suggestion protocol for lockout policy based on information about if a specific browser have already used for successful login. Then the protocol is less capable to DoS attacks than plain account locking and can be easy to implement.
CAPTCHA is a program used to distinguish between human and computer.CAPTCHAs are used in stopping any kind of automated attacks including brute-force attacks.It works by displaying some test which is easy for humans to pass but difficult for a computer system to pass as a result of which we can conclude whether there is a human or automated computer on the other end.
Humans must be able to answer the test correctly as Computers can fail to answer the test correctly most of the time as possible.perhaps the most commonly used CAPTCHA provides the user with an difficult to understand word that the user must type to pass the test with accuracy.
Other techniques that can be consider are:
1.For advanced users who need to protect their accounts from attack,should be provided with the option to login only from unique IP addresses.2.Provide unique login URLs to every group of user so that not all users can access the site from the same URL.3.Use a CAPTCHA to prevent computers automated attacks.4.Instead of fully locking out an account, the account should be locked with limited capabilities.