Brute force attack app download for android registration#
As noted in the comment by My1, open registration may be a weak point here. no "invalid username" or "password too long" messages, though issue a unique incident code if this is important for user support). make it hard/impossible for an attacker to determine valid user names, invalid passwords or locked out accounts (basically minimal feedback, i.e.Robust defences generally require you to assume that the attacker knows everything about the system except the secret key ( Kerckhoff's Principle) so you should start from that position. Any serious attempt will either hit your server directly because a login URL/API was detected, or will run your client through an intercepting proxy to capture the details required to create a brute force run. Client side measures are only a partial (and mostly cosmetic) solution, this can only limit non-serious attempts.