Brute-Force Protection

PlusAuth allows you to customize brute-force attack protection according to your requirements.

PlusAuth allows you to customize brute-force attack protection according to your requirements.

Brute force attacks are simple and reliable. In this type of attack, an attacker submits many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. As you can guess, this process is handled by computers. In a simple environment, thousands of passwords could be checked in a couple of seconds.

Brute-Force attack protection is enabled by default, and you can configure or disable it according to your requirements.

It is highly discouraged to disable brute-force attack protection.

To customize brute-force protection, go to Dashboard > Security and expand the Brute-Force Protection section.


EnabledEnable/Disable Brute-Force Protection
Send NotificationIf this is enabled, your users will receive an email informing them about the login attempt from the blocked IP after all attempts are exhausted. Blocked IP template will be used for this email.
Maximum Allowed AttemptsMaximum count for a user to consecutively fail logins for the same IP.
DurationAttempts will be counted for the specified seconds.
Block DurationHow many seconds should PlusAuth block the IP for the specified user.
IP WhiteListList of IP's should be ignored from brute-force protection

For example, with following configuration

Send Notification = true
Maximum Attempts = 10
Duration = 3600 (1 hour in seconds)
Block Duration = 2592000(30 Days in seconds)

if a user fails to login to their account consecutively 10 times (Maximum Allowed Attempts) in an hour (Duration) from the same IP, their account will be blocked for 30 days (Block Duration), and they will receive configured Blocked IP email.

Example Scenarios

Although it is advised to configure brute-force with low attempts and high durations, some would like to configure it in a less strict way.

For example, some would like to allow trying again in short duration rather than having long block durations.