Brute force attack excuses

When you hear of “Brute force attacks”, you can generally find flaws.

First off a brute force attack can EASILY be avoided by a correctly configured server or firewall.

If the server can’t raise an alert or throttle a brute force attack after say 5 wrong attempts it’s really badly configured.

With that in mind:

Companies who sell security products for example with:

long password lengths
choosing certain digits of a password (note they would have to store an unhashed password, which is dumb)

To offer better security by mitigating brute force attacks on the client side, are wrong.

Conclusion: Brute force attacks in most cases should be handled by extra logic in the server, not the user.

Found any of my content interesting or useful?