Cloud-based computing systems are increasingly at risk of security breaches from brute force and other types of attacks designed to gain privileged access to the system. In a brute force attack, single client devices, or groups of client devices, are configured to repeatedly request access to the cloud-based system until access is granted. Each request may iterate through a sequence of possible values for login parameters such as user names and passwords. Because the total number of possible values is typically much larger than the number of registered or correct values for logging in to the system, brute force attacks typically involve a large number of incorrect requests for access before they succeed.
One way to try to stymie a brute force attack is to present the client device with a Turing challenge—for example, a Completely Automated Public Turing test to Tell Computers and Humans Apart (CAPTCHA). Turing challenges such as CAPTCHAs require a human user at the client device to answer a question or provide information in response to an inquiry, puzzle, or problem that is designed to be easy for a human but difficult for a computer program to provide a correct response. In such a system, only client devices that correctly provide a response to the Turing challenge will have their request for access (e.g., a request containing login information) processed, and an automated brute force attack will not be able to submit any of its requests for access. However, having to respond to a Turing challenge with every login can be irritating to human users. There is a need for approaches for protecting against brute force attacks while avoiding annoying human users with a Turing challenge. Such alternative systems and methods for protecting against brute force attacks are described herein.