Before moving on and talking about what I did, I have to say
that in the past years there have been two common techniques used by developers
to prevent dictionary attacks that are used either independently or in
combination with each other:
validation: Many websites implement some kind of CAPTCHA control that forces the user to enter
the text displayed in an image if he fails to log into a website after a few
attempts. This prevents automated dictionary attacks, but it has two big
issues: first, it has a very bad impact on the usability of the site, and
second, it is vulnerable to image processing techniques to parse the image and
automatically detect the text in order to continue the dictionary attack.
login attempt threshold: The other common mechanism is to store the number of
failed login attempts and prevent the user to log into the site for a duration
of time (e.g., 10 minutes) even if he provides the correct username and
password combination. This method that I’ve used in some projects looks more promising than the CAPTCHA controls
but has one weakness: it cannot prevent those types of attacks that are testing
a combination of usernames and passwords together. In other words, the hacker
may be able to find some valid usernames on the site that he can use for bad
Although these two methods are very powerful in practice,
they’re still vulnerable to different situations. If the user loses his
password and somebody has the password, he can easily get access to the
account. For some websites, this is not very critical, but for some sites and
services this is a very dangerous situation. For example, a GMail user who has
used his account for several years to store all his information and has put all
his eggs in one basket may lose many things in his life by having his GMail
And this is why Google implemented the 2-step verification
mechanism on GMail accounts, and Microsoft also added a similar feature to the
Live accounts. Previously, Facebook had a lighter form of this technique by
informing a user via SMS whenever his or her account was accessed by somebody.
Essentially, this 2-step verification (that may be called
with different names like two-step verification or phone verification as well)
is one of different types of two-factor authentication (TFA)
that tries to use text messaging in order to verify accesses to an account.
This can be as simple as notifying a user that his account is accessed by a
specific IP address at a specific time, or it can be more complex by requiring
the user that he enters a code that is sent to his phone in order to confirm
his identity when logging in.
Generally, the goal of 2-step verification is to use the
cell phone number of a user to make sure that accesses to an account are
legitimate, and the motivation behind this technique is that nowadays almost
everybody is using a cell phone and he’s carrying that everywhere. Even if a
password is compromised by some tricks, it is very hard to have access to
somebody’s mobile phone unless it is physically stolen.
I believe that a 2-step verification is a vital part of some
sites like banks, domain registrars, DNS managers, and site hosting services,
especially the cloud-based solutions, because a chain is as weak as its weakest
link, and if one part of the chain that makes a site is compromised, the whole
site is compromised!