Is brute force a probable threat even if you enable CAPTCHA and rate limit logins?

The protections you describe are good ones that you should consider, but there can still be weaknesses:

  • Many CAPTCHAS can be solved by robots, or you can easily pay people to solve them en masse for you (there are companies selling that service).
  • Account lock out is a good idea, but if you do it based on IP someone with access to a botnet could retry login on a single account from different IP:s until they get in.
  • Offline brute force is still a problem if your database gets leaked. If the attacker has access to the password hash, they can try all they want on their own system. That's why you should use good hashing.

Maybe.

it depends on how you define "brute force".

A lockout after X incorrect attempts is great for protecting an account where an attacker is going after a single target.

There's another scenario where the attacker has picked a few common passwords "password, password123, etc." And rather than attacking a single user, they try their 4 common passwords on every account they know of in your system.

User: Jim
PW: password, password123, letmein, secret

User: Bob
PW: password, password123, letmein, secret

User: Alice
PW: password, password123, letmein, secret

This is more common in scenarios where attackers are looking to harvest credentials for resale on the darknet, or make lateral moves to other services where passwords may have been reused.

I suggest you add something in place to count the rate of overall invalid logins, rather than just on a per account or IP level.


It is a threat in a different sense. If you lock accounts for 15 minutes after 5 unsuccessful attempts, then you've effectively built-in a DoS mechanism.

Assume I don't really want to break in, but I'm fine with just causing havoc, no problem. Just do a few thousand logins per second with random usernames. Hey, I'll not even bother doing the CAPTCHA, who cares. All I want is to fail and lock up.

A better strategy than a fixed amount of time after a fixed number of failures might be quadratic (or exponential) growth. Some AVM routers do that. First login failure, you have 15 second lockout, next failure you have 30, etc etc. This is much less hassle to legitimate users, and much more trouble to attackers.
In order to make DoS harder, you would need a kind of recipe involving the IP address as well as the account name, capping the maximum delay per account-IP pair to a tolerable value. Otherwise, a legitimate user could still be DoSed easily and indefinitively. The exponential growth deals better with the "infinite number of attempts" problem, though.

Actually finding a username-password pair online by brute force is, well, assuming people aren't stupid, practically hopeless. Unluckily, people are stupid, so you cannot assume they won't have one of the top-ten-most-stupid passwords, and you must assume it's doable. So, yes, there is a bit of a threat there, too. In particular because while it may be hard to target one user on one server, on a purely username-based control system, you can target a thousand users on that same server in parallel no problem (each scoring only a single fail!) and you can do that on a thousand servers in parallel. And, it doesn't really cost you anything to keep this script running for weeks (months, years...), retrying every 15-20 minutes.

So, while for the individual account your chances as attacker are very small, as numbers add up to, well, virtually infinity you are bound to hit someone, somewhere, eventually, it's unavoidable. Since otherwise it's trivial to try a thousand users in parallel, it should be clear that you also need to consider IP addresses in your calculation. Even so, it doesn't give 100% protection against a botnet with a few thousand bots, but it sure makes the attack somewhat less effective, requiring more work and management. More work is good.

You cannot win the race once you are a serious target, but the harder you make an attacker's work, the more likely it is the attacker chooses someone else (who's an easier target) to begin with.
It's very much the same thing as locking your front door instead of leaving it wide open. A burglar can easily break your window, and there's finally nothing you can do to prevent someone from entering. But given the choice of an open door at the neighbour's house and having to smash your window, he will likely choose the easier way. Fewer expenses, same profit.