☠️ Best way to prevent Brute Force Attacks

I am constantly concerned about my app`s security. I am always revising my privacy rules, visibility of some elements, blocking workflows based in users access and etc.

I would like to propose here a debate about Brute Force Attacks to know how you guys are protecting youselfs of it.

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack.

The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator.

However, account lockout is not always the best solution, because someone could easily abuse the security measure and lock out hundreds of user accounts. In fact, some Web sites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts.

:link: Full article here

Are you guys using reCAPTCHA?
What solution do you use in Bubble to prevent these attacks?


Brute force attacks are expensive, more so than DDoS.

Plus Bubble is under automatic mechanisms to waive that, since it is behind Cloudflare.
Dedicated plan allows you to use 2FA. In the eventuality of a single or multi account password breach, 2FA will protect everyone.

A measure you can apply yourself is a captcha on your website, it will make the attack even more expensive, here’s an easy way to do it: https://friendlycaptcha.com/

You can also have magic link logins and have the hidden passwords behind the scenes be huge strings with high entropy, thus making a brute force attack even more expensive.

Or enforce a policy of high entropy passwords, in this case users will have to use a password manager on their own.

And that is just getting started, I am a builder and not a security expert. And this is only if you really think you will be attacked. Know your threat model and act accordingly :blush:

If you think a nation state is out for you, being offline and wearing an invisibility cape will help you :sweat_smile:

If you have an average commercial app, then standard all round security will matter much more than sophistication against a specific attack vector. For example, I read somewhere that phishing attacks are the main ones today, super cheap and super efficient to carry on, and harder to defend against.

In Bubble, as bubblers, the main things are proper privacy rules and keeping API keys secret.

1 Like

Hi @vini_brito ! :wave:

Thank you for the very detailed response!

I was trying to instal Google reCAPTCHA v3 (that is invisible), but I am not having success with it. I think I will try reCAPTCHA v2 (saw a Bubble plugin for it) and post the result here.

This Friendly Captcha is cool! Thanks. Didn’t know it. But I didn’t find anything in the documentation talking about “language customization”. I am in Brazil (I think you are too, don’t you). It would be nice to have something in portuguese for the users :sweat_smile:

In your apps, do you use it??

Yeah. you are right! That is what I am already doing :muscle:. My concern here is more about the login process itself and a debate on how to prevent Brute Force Attacks…


This topic was automatically closed after 70 days. New replies are no longer allowed.