Skip to main content

Brute force attack detection

To enable Imply Hybrid (formerly Imply Cloud) Auth for your organization, contact your Imply account representative.

A brute force attack happens when an attacker tries to guess a user's password. Imply Hybrid Auth can detect brute force attacks and temporarily disable an account after a configurable number of login failures.

When an account is temporarily disabled, attempting to login results in the same Invalid username or password error message as displayed for entering invalid login credentials. This is intentional to avoid revealing to an attacker that the user's account is temporarily disabled.

Brute force attack detection is disabled by default. Enabling this feature is the best practice to protect against this type of attack.

To enable the brute force detection feature, follow these steps:

  1. In the User management console, click Organization Settings.
  2. Click the Security Defenses tab.
  3. Toggle Enabled under Brute Force Detection to activate brute force attack detection.
  4. (Optional) To enable permanent lockout, toggle the Permanent Lockout switch.
    • Permanent lockout disables the account when the user exceeds the maximum number of login failures.
    • Temporary lockout disables an account for a period of time after an attack is detected. The time period increases the longer the attack continues.
  5. Configure any of the following settings based on your desired policy:
    • Max Login Failures: Maximum number of login failures permitted. Default value is 30.
    • Wait Increment (temporary lockout): Amount of time added to the time a user is temporarily disabled after each time Max Login Failures is reached. Default is 1 minute.
    • Quick Login Check Milliseconds: Minimum time required between login attempts. Default is 1000.
    • Minimum Quick Login Wait: Minimum amount of time the user will be temporarily disabled if login attempts are quicker than Quick Login Check Milliseconds. Default is 1 minute.
    • Max Wait (temporary lockout): The maximum amount of time for which a user will be temporarily disabled. Default is 15 minutes.
    • Failure Reset Time (temporary lockout): Time after which the failure count will be reset; the timer starts from the last failed login. Default is 12 hours.
  6. Click Save.

Another way to prevent password guessing is to configure the server to use a one-time-password (OTP). For more information, see Multi-factor authentication.