Editing Brute-force attack (section)

==Countermeasures==
In case of an ''offline'' attack where the attacker has gained access to the encrypted material, one can try key combinations without the risk of discovery or interference. In case of ''online'' attacks, database and directory administrators can deploy countermeasures such as limiting the number of attempts that a password can be tried, introducing time delays between successive attempts, increasing the answer's complexity (e.g., requiring a [[CAPTCHA]] answer or employing [[multi-factor authentication]]), and/or locking accounts out after unsuccessful login attempts.{{sfn|Burnett|Foster|2004|p=}}{{page needed|date=March 2012}}  Website administrators may prevent a particular IP address from trying more than a predetermined number of password attempts against any account on the site.{{sfn|Ristic|2010|p=136}} Additionally, the MITRE D3FEND framework provides structured recommendations for defending against brute-force attacks by implementing strategies such as network traffic filtering, deploying decoy credentials, and invalidating authentication caches.<ref>{{Cite web |title=Implementing MITRE D3FEND for ATT&CK Technique T1110: Brute Force
 |url=https://d3security.com/blog/implementing-mitre-d3fend-for-attck-technique-t1110-brute-force/ |access-date=2024-06-19 |website=D3 Security |date=August 25, 2023 |language=en}}</ref>