HTC Hydra is very cool, as is any brute forcing tool (Fast Track in BT4 is nice), but there is a very simple way to eliminate brute force attacks on your exposed authentication interfaces; add a Captcha or similar technology. Lots of companies are getting into strong authentication with codes and tokens, but you may not need to go that far. In lower risk cases, where the need is just to keep the system clean, a simple recognition code works to keep out all but the most dedicated brute force attempts. An attacker with enough patience or enough money may still be able to use a brute force attack, but the chance of recognizing it in the logs and alerting so you can take appropriate action is much higher with that level of attention. So if you’re not protecting credit cards for PCI-DSS and you’re not guarding medical information for HIPAA, think about adding a Captcha or other simple recognition code that will make your application a much harder target. And don’t forget to have it professionally tested/evaluated once you’ve modified it. Digital Trust – helping companies keep security costs down.