Reply To: Bruteforce algorithm

[nkrisc]

I suspect you’re not trying to test the vulnerability of the password, but trying to test the vulnerability of your form to brute force attacks?

Because yes, your password is vulnerable to a brute force attack. Every password is if the attacker is allowed to work long enough (for a good password long enough might be millions of years). I think you’re overkilling it. You don’t need to test every permutation of a password, you just need to test your defense mechanisms (lock out after X wrong passwords) are functioning, so your test should just enter X incorrect wrong passwords and you can verify your form is behaving correctly.

Trying to determine how long it will take to brute force your password seems pointless to me. Let’s say you prevent login attempts for 10 minutes after 10 failed attempts. Unless your password is literally ‘password’, you’ve effectively made it impossible to brute force your login form.