Increase in number of password guessing attacks

  • Resolved andyward75

    (@andyward75)


    6 years ago

    Hi, apologies if I seem ignorant here but on one of my sites that I have installed the free version of Wordfence I have noticed a sudden spurt of emails notifying me of people being locked out for trying to guess passwords.

    In the greater scheme of things, it isn’t a lot but it has gone from pretty much zero guesses in the first 6 months or so to 10s a day in the last week or so and the trend is increasing.

    Clearly, if WF has detected them and banned the IP then that is good but could there be others getting by? These people seem to be able to change their IP at the drop of a hat and I guess when IPv6 is fully rolled out that this sort of thing will only increase.

    Should I be concerned in any way?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Ambyomoron

    (@josiah-s-carberry)

    I think there are five types of cases that should help you decide if the risk is significant:

    1. The visitor is a legitimate member who entered the password correctly the first time
    2. The visitor is a legitimate member who made an error in entering the password, but entered the correct password immediately thereafter
    3. The visitor is a hacker who guessed a password on the first attempt
    4. The visitor is a hacker who knew someone else’s password by illegitimate means
    5. The visitor is a hacker who guessed the password before reaching the limit set by Wordfence

    Discussion:
    a. You cannot know the difference between 1 and 3. However, if you enforce the quality of the passwords, the probability of 3 is so low that you probably should not be concerned
    b. The only way you can know if this is the case is if the legitimate member complains. The only thing you can do to mitigate the risk is the require regular password changes or the require 2FA. Otherwise, it is not your problem (unless it was your site that was hacked to discover the password!)
    c. Mitigation for case 5 is the same as a. (see above)

    Conclusion: Given the huge number of different random passwords possible, the mere increase of attacks, going from say 1 a month to 1000 a month means that maybe it will take dozens of years to figure out a single password via brute force, as opposed to hundreds of years. So I wouldn’t worry about that. If your members are stupid about choosing passwords that are easy to guess, it is hard to protect them from themselves, but enforcing password policies (complexity, regular changes, 2FA) makes the tradeoff between security and ease of use. Lastly, if you yourself have NOT followed all best practices in hardening your site, then you should be concerned, no matter how many attacks you see.

    Thread Starter andyward75

    (@andyward75)

    Thanks for that. It isn’t much of a “blog” type site and so not a lot of users that need to login. These were all attempts, as far as I can see, that failed. They were all using admin, test and similar user ids which I don’t allow.

    So far, it doesn’t look like any attempt has been successful and I would like to keep it that way.

    Ambyomoron

    (@josiah-s-carberry)

    It is perhaps unusual that you hadn’t been getting that sort of attack. Join the club.

    xprt007

    (@xprt007)

    I have personally set Wordfence to immediately block non-existent usernames and some obvious ones like “admin”, which does not exist. My site has just over 120 users who do not log in much. If Wordfence alerts me that user X has been blocked, I check if I have a user with roughly similar name and if existent, I unblock them, because I know they mis-typed it. With obvious usernames like admin not being there, attempts are mostly with non-existent usernames. Most fake & non-existent users have usernames that appear fake and mass-generated.

    There are seasons when you have many daily active attempts, brute force attempts once in a while, but sometimes several weeks with none, like of late. I have however added lots security plugins, sometimes duplicating functionality, just because I have been frustrated at times. Another plague was sending emails supposedly from contact form, in spite of recaptcha, etc, although the cretins do not get registered by Statcounter as having visited the site. That has currently totally subsided.

    If you have set site to have anyone registering, you just have to reckon with criminals using bots trying to log in or reset pWs, with ever changing IPs, sometimes with same usernames, etc.

    • This reply was modified 6 years ago by xprt007.
    Thread Starter andyward75

    (@andyward75)

    Thanks for that. All makes sense

    xprt007

    (@xprt007)

    One more thing:
    I do not know if other people do that, but I always check out the list of usernames/IPs blocked by Wordfence now & then in the settings, select all and for all non-existent ones, which are 99.9%, I set the blockade to permanent. That way, I think over the last year or more probably thousands have been ultimately kept out. Some usernames you note have made dozens if not more attempts by then, probably over a long time.

    wfdave

    (@wfdave)

    Hi @andyward75,

    As your blog gains more popularity, so do the amount of bots who have visibility to your website.

    These bots send out hundreds of requests a day to random wordpress sites to see if they can get in.

    The best thing you can do for your site is…

    1. Enforce secure passwords for administrators (optimally with 2FA)
    2. Immediately block IPs of logins with invalid usernames
    3. Set a low threshold for incorrect password / reset password attempts

    Dave

    Thread Starter andyward75

    (@andyward75)

    OK, thanks for that. I do all the above apart from 2FA. I will look into that as well.

    Many Thanks to all who have responded. Most helpful.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Increase in number of password guessing attacks’ is closed to new replies.