How it works?
When there are broken web apps with weak password policies and are improperly configured, an attacker can intercept those requests from the web application using a tool called burp suite (proxy interception tool) and enumerate all the possible users on the web application.
Stopping these attacks from happening is actually more complicated than you think.
Here is a list of things to keep in mind for strong authentication mechanisms.
- Do not reveal too much information about the user such as error/success login attempts.
- Externalize the passwords ( Hashes with salts ) or ( store them in an encrypted file )
- Strong password policies ( Lockouts, aging, hashes with salts, strong passwords )