Report: Developers need to stop brute force attacks by limiting sign-in attempts

Report: Developers need to stop brute force attacks by limiting sign-in attempts
A report from security firm AppBugs says that developers of some of the most popular iOS and Android apps are leaving their subscribers vulnerable to getting their passwords hacked. The problem is that by not putting a limit on log-in attempts, hackers can use brute force attacks to discover users' passwords. These attacks take advantage of the lack of limits by using a computer to go through every possible combination until the correct password is found.

AppBugs found 53 mobile apps for iOS and Android that aren't protected from brute force attacks. This means that over 600 million iOS and Android users are at risk. Some of the popular apps that won't stop brute force attacks include iHeart Radio, Watch ESPN, Expedia, CNN, SoundCloud and Walmart just to name a few.  A study conducted on 70 million passwords found that depending on how strong a particular password is, using a brute force attack can net a hacker the correct password in 30 minutes to 24 days. But that is based on the use of one computer. Hackers usually employ multiple computers which results in some pretty scary figures.

If you are concerned about the apps you are using now, not using the app or uninstalling them will not help since your information remains on the app's server. According to AppBugs, you should disable any apps that are open to brute force attacks. You might have to contact the developer since there are different methods to disable each app. There is another thing that you can do, and that is to make your password harder to discover by using more than 20 characters to create it. That won't eliminate the threat from a brute force attack since your password can be eventually discovered anyway. But by using over 20 characters to create your password, you are buying some time since it will take longer for the correct combination to be found.

Ultimately, if enough consumers complain, developers might be concerned enough to limit the number of sign-in attempts, or use a two-step verification process that will prevent brute force from stealing passwords.

source: AppBug via RedmondPie

New reasons to get excited every week

Get the most important news, reviews and deals in mobile tech delivered straight to your inbox

FCC OKs Cingular\'s purchase of AT&T Wireless