Report: Developers need to stop brute force attacks by limiting sign-in attempts

Report: Developers need to stop brute force attacks by limiting sign-in attempts
A report from security firm AppBugs says that developers of some of the most popular iOS and Android apps are leaving their subscribers vulnerable to getting their passwords hacked. The problem is that by not putting a limit on log-in attempts, hackers can use brute force attacks to discover users' passwords. These attacks take advantage of the lack of limits by using a computer to go through every possible combination until the correct password is found.

AppBugs found 53 mobile apps for iOS and Android that aren't protected from brute force attacks. This means that over 600 million iOS and Android users are at risk. Some of the popular apps that won't stop brute force attacks include iHeart Radio, Watch ESPN, Expedia, CNN, SoundCloud and Walmart just to name a few.  A study conducted on 70 million passwords found that depending on how strong a particular password is, using a brute force attack can net a hacker the correct password in 30 minutes to 24 days. But that is based on the use of one computer. Hackers usually employ multiple computers which results in some pretty scary figures.

If you are concerned about the apps you are using now, not using the app or uninstalling them will not help since your information remains on the app's server. According to AppBugs, you should disable any apps that are open to brute force attacks. You might have to contact the developer since there are different methods to disable each app. There is another thing that you can do, and that is to make your password harder to discover by using more than 20 characters to create it. That won't eliminate the threat from a brute force attack since your password can be eventually discovered anyway. But by using over 20 characters to create your password, you are buying some time since it will take longer for the correct combination to be found.

Ultimately, if enough consumers complain, developers might be concerned enough to limit the number of sign-in attempts, or use a two-step verification process that will prevent brute force from stealing passwords.

source: AppBug via RedmondPie



1. slannmage

Posts: 289; Member since: Mar 26, 2013

The thing is they now ask you to have this crazy combination of letters, symbols, upper/lower case, numbers etc etc. If you don't let me choose a password I'll remember, I end up trying about 20 times before I get the right one as I've had to make 20 different passwords based on different rules. Hack my accounts, I don't care, all you'll find is debt, no money here.

2. lallolu

Posts: 732; Member since: Sep 18, 2012

I am also tired of being forced to make combinations that are difficult to remember. Furthermore, different apps/site have different password rules so even if one made a very secure password, it will not pass the acceptable combinations for other sites/apps.

3. vincelongman

Posts: 5693; Member since: Feb 10, 2013

Doesn't two-step verification prevent this? More devs should to support it I think all my important accounts have two-step verification Also a few of my important accounts also message me for attempted logins as well (also more devs should implement that)

4. Andrewtst

Posts: 696; Member since: Jan 25, 2009

Every site or apps shall have choice for user whether need crazy combination or simple where the user don't might his or her account being hack as not important to user if being hack.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit for samples and additional information.