Preventing Umbraco brute force cracking

At Codegarden 13 I wrote probably the least exciting Umbraco package ever. It doesn't add any features, it won't make your editor's happier. This was created in response to security reviews we've had done on some of our sites. One issue that came up regularly was that it was possible to brute force crack the backend of Umbraco.

If you're not familiar with a brute force attack this is where every possible password combination is attempted for a password. Quite often this will try a dictionary of words and common passwords before then trying every character combination possible. Given enough time eventually the attacker will hit upon the correct password. Here is a very crude screenr example of a brute force attack using a dictionary on an Umbraco site. I chose an obscure dictionary word as my password, but if found it pretty quickly, after trying over 4000 dictionary words.

Here are several ways of mitigating the risk of this kind of attack:

  1. Always choose a secure p assword involving letters, numbers special characters at least 8 characters long ideally 12 or longer. If you think about the maths this makes sense, as a 8 character password using only lowercase alphabet characters has 26 to the power of 8 combinations (208,827,064,576), the same with 12 characters using any uppercase, lowercase, numeric and 10 special characters has 72 to the power of 12 combinations (19,408,409,961,765,342,806,016)
  2. Never use a dictionary word, as you can see above that narrows the possible options a huge amount, The Oxford English Dictionary has ~ 170,000 words.
  3. Enforce a password change policy, so that passwords need to be changed at least every month.
  4. Don't make the login for your site publically available, for example restrict it through the firewall to certain IP
  5. Lockout users after x failed attempts for at least several minutes.

My package addresses point number 5 from above, it inherits from Umbraco's user membership provider to add support for the maximum number of attempts and the window in which these can be attempted. By default it will silently fail all logins for user after they fail 5 logins for a 10 minute window after which they will be able to login normally.

Please install it and let me know if you find it useful, or you have any questions get in touch @steve_gibe. Next stop is to get this functionality into a pull request to update the Umbraco core.

About the Author

Steve Temple, Technical Director and co-founder of Gibe

Steve is Gibe's technical director and super brain behind the development of our major projects. With over 27 years of commercial experience, Steve is an expert in .NET, Umbraco and Microsoft technologies. Steve is also an Umbraco Certified Master and Microsoft MCSD