Why is it important: The recent Windows 11 Insider Update helps users block brute-force attacks automatically. Attacks will now trigger an account lockout policy that will automatically lock out all user and administrator accounts. The policy is designed to lock out accounts after ten failed login attempts, which prevents a brute-force attack from being performed.

- Advertisement -

David Weston, Microsoft’s vice president of security and enterprise, announced the news via Twitter earlier this week. The blocking policy is designed to mitigate the effects of Remote Desktop Protocol (RDP) and other brute-force attack vectors, Weston said. The new feature is available in Windows 11. Insider Preview builds 22528.1000 and newer. This feature will also be rolled out to Windows 10; however, users will have to enable the policy manually.

- Advertisement -

Brute force attacks are executed using scripts and applications designed to generate millions of password combinations in order to obtain user credentials. The attack tries to calculate any combinations until the password is found. The time it takes to discover the correct combination is directly related to the length and complexity of the password. The new feature will effectively stop Windows 11-based brute-force attacks by blocking attackers as quickly as they can generate the first ten password attempts.

Despite their age and simplicity, brute-force attacks have experienced a resurgence due to today’s needs in the workplace. The Covid-19 pandemic has forced many employees and companies to use and rely on various remote solutions. The shift in connectivity in the workplace has led to a surge in brute-force attacks, rising from 150,000 attacks a year to over one million at the start of the pandemic.

- Advertisement -

This move by Microsoft is a huge step forward in reducing the effectiveness of one of the oldest and simplest vulnerabilities plaguing users around the world. Despite the new policy, users must still apply best security practices by creating complex passwords using extended character lengths, variable case, numbers, and (when allowed) special characters.