How brute-forcer knows that the password is cracked for target username?

  • There are very many brute-force attacks (mostly for ‘admin’ username) on WordPress sites. All these attacks are made automatically via post requests.

    The question 1: how brute-forcer knows that the password is cracked for target username?

    The brute-forcer try the typical passwords like: ‘12345’, ‘qwerty’ etc. And often site administrators have username ‘admin’ with typical password and this username is cracked sometimes via brute-force. Limit-login attempts plugin solve this problem pretty good by the way.

    The idea and question 2: if we know for sure that it is brute-force attack (javascript-test or cookie-test solve this because brute-force-bots are not usual browser clients) than is it good approach to tell brute-forcer nothing at all even if the password chosen correctly?

    Discussion on wordpress.stackexchange.com

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    A successful login is identified by the server response, of course. What particular aspect? Probably varies greatly by the attacker. It is foolish to assume only one particular aspect is used. Even if it were the case today, it will not be the case in the future.

    If you can reliably identify an attacker, their post request should be rejected before their password attempt is even checked. If they have successfully guessed your password, you have selected a very weak password and your security has failed. Attempting to disguise this failure may fool someone, but it is still a failure. Such a measure is not worth considering IMO, it is a variant of security by obscurity. It may work sometimes, but it is not real security.

    Even so, keep thinking creatively about possible security measures, the only truly bad idea is the one never offered up for discussion.

Viewing 1 replies (of 1 total)
  • The topic ‘How brute-forcer knows that the password is cracked for target username?’ is closed to new replies.