A brute force attack (exhaustive search) is a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered. This attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page. Brute force attacks don’t employ an intellectual strategy. These attacks simply try using different combinations of characters until the correct combination is found. The length of the password causes that hacker needs to the more guessing to understand the password. Here you can see the importance of long and complex passwords. For example, a four-character password takes significantly longer to brute force than a three-character password, and a five-character password takes significantly longer than a four-character password. Once character count is beyond a certain point, brute forcing a properly randomized password becomes unrealistic.
Some attackers use applications and scripts as brute force tools. These tools try out numerous password combinations to bypass authentication processes. In fact, today almost all brute force attacks are performed by bots. Bots systematically attack websites and try these lists of credentials, and notify the attacker when they gain access.
The most common type of brute force attack is a dictionary attack and involves a list of credentials. Most commonly used credentials are “admin” and “123456.”
Goals of a brute force attack include:
- Theft of personal information such as passwords, passphrases and other information used to access online accounts and network resources.
- Harvesting credentials to sell to third parties
- Posing as users to send phishing links or spread fake content
- Defacement of websites and other information in the public domain that could damage the reputation of the organization
- Redirecting domains to sites holding malicious content
They can also be used for positive gains. Many IT specialists use this method of attack to test network security and more specifically, the strength of the encryption used on the network. (Source: forcepoint.com)
Types of Brute Force Attack
- Simple brute force attacks: hackers attempt to logically guess your credentials. These can reveal extremely simple passwords and PINs. This method doesn’t rely on outside logic.
- Dictionary attacks: These Attacks are one of the most common forms of brute force attack. In this attack, the attacker works through a dictionary of possible passwords and tries them all. Of course, these attacks tend to be somewhat outdated because often require a large number of attempts against possible targets.
- Reverse Brute Force Attacks: These attacks don’t target a specific username, but instead, use a common group of passwords or an individual password against a list of possible usernames. In other words, this attack reverses the attack strategy by starting with a known password. Then hackers search millions of usernames until they find a match.
- Credential Stuffing: This attack exploits the fact that many users have the same username and password across different systems. For example, many users choose the same password to access many different websites for the sake of simplicity. These attacks have a low rate of success and primarily rely on lists of usernames and passwords commonly found from data breaches.
- Rainbow table attacks: A rainbow table is a precomputed table for reversing cryptographic hash functions. It can be used to guess a function up to a certain length consisting of a limited set of characters.
- Hybrid brute force attacks: these attacks usually mix dictionary and brute force attacks. This attack, Instead of trying literally all passwords, it will performs small modifications to words in a dictionary, such as adding numbers or changing the case of letters. A hybrid brute force attack example of this nature would include passwords such as Chicago1993 or Soprano12345.
How to Defend Against Brute Force Attacks
- Use an advanced username and password: Protect yourself with credentials that are stronger than admin and password1234 to keep out these attackers. The stronger this combination is, the harder it will be for anyone to penetrate it. Never use information that can be found online (like names of family members). Also, avoid using common patterns.
- Remove any unused accounts with high-level permissions: These are the cyber equivalent of doors with weak locks that make breaking in easy. Unmaintained accounts are a vulnerability you can’t risk. Throw them away as soon as possible.
- Increase password length: More characters equal more time to brute force crack. Users should choose 10-character passwords that include symbols or numerals. So, use as more characters as possible.
- Increase password complexity: More options for each character also increase the time to brute force crack. Users should choose complex passphrases rather than single words. Dictionary attacks are built specifically for single word phrases and make a breach nearly effortless. So, combine letters, numbers, and symbols.
- Use unique passwords for every site you use: Even it is recommended that use a different username for every site as well.
- Salt the hash: administrators should also randomize password hashes by adding a random string of letters and numbers to the password itself. This string should be stored in a separate database and retrieved and added to the password before it’s hashed. By salting the hash, users with the same password have different hashes.
- Limit login attempts: A good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress. For example, allowing three attempts to enter the correct password before locking out the user for several minutes can cause significant delays and cause hackers to move on to easier targets.
- Account lockdown after excessive login attempts: if a hacker can endlessly keep retrying passwords even after a temporary lockout, they can return to try again. Locking the account and requiring the user to contact IT for an unlock will deter this activity.
- High encryption rates: Like 256-bit encryption. The more bits in the encryption scheme, the harder the password is to crack.
- Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress. Captcha comes in many types, including retyping the text in an image, checking a checkbox, or identifying objects in pictures.
- Throttle rate of repeated logins: you can further slow an attacker’s efforts by creating space between each single login attempt. Once a login fails, a timer can deny login until a short amount of time has passed.
- Use multi-factor authentication: MFA (Multi-factor authentication) adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success. This additional layer prevents anyone who has successfully obtained your credentials from accessing your account without a secondary piece of authentication.
- Password education: Educate users on safe practices and tools to help them keep track of their passwords.
- Watch accounts in real-time for strange activity: Odd login locations, excessive login attempts etc.
- Use a password manager: Installing a password manager automates creating and keeping track of your online login info. Read this blog.