Two-factor authentication (2FA): additionally, administrators can require two-step authentication and install an intrusion detection system that detects brute force attacks. This requires users to follow-up a login attempt with a second factor, like a physical USB key or fingerprint biometrics scan.
Limit number of login re-tries: limiting the number of attempts also reduces susceptibility to brute-force attacks. For example, allowing three attempts to enter the correct password before locking out the user for several minutes can cause significant delays and cause hackers to move on to easier targets.
Account lockdown after excessive login attempts: if a hacker can endlessly keep retrying passwords even after a temporary lockout, they can return to try again. Locking the account and requiring the user to contact IT for an unlock will deter this activity. Short lockout timers are more convenient for users, but convenience can be vulnerability. To balance this, you might consider using the long-term lockdown if there are excessive failed logins after the short one.
Throttle rate of repeated logins: you can further slow an attacker’s efforts by creating space between each single login attempt. Once a login fails, a timer can deny login until a short amount of time has passed. This will leave lag-time for your real-time monitoring team to spot and work on stopping this threat. Some hackers might stop trying if the wait is not worth it.
Required Captcha after repeated login attempts: manual verification does stop robots from brute-forcing their way into your data. Captcha comes in many types, including retyping the text in an image, checking a checkbox, or identifying objects in pictures. Regardless of what you use, you can use this before the first login and after each failed attempt to protect further.
Use an IP deny list to block known attackers. Be sure that this list is constantly updated by those who manage it.
Active IT Support Protections for Passwords