What is a brute force attack?
A brute force attack is a simple attack method whereby hackers use trial and error to ‘guess’ a username and password, pin, or encryption keys – to gain unauthorized access to a system.
Brute force attacks fall under the category of a “password attack.” Like a thief trying every combination on a padlock, the hacker will try different combinations of usernames and passwords until they manage to break into the account.
Most hackers prefer to use scripts or applications especially designed to crack passwords or try out many different password combinations in quick succession. There are many types of specialized software available that make brute forcing quicker and easier.
While some brute force attacks are carried out by humans, many brute force attacks these days are done by bots that can attack websites systematically using lists of account credentials procured from the dark web, or from a previous security breach.
Why do hackers try and guess the passwords of their unsuspecting victims? The purpose of a brute force attack is usually so that hackers gain access to a system in an effort to install malicious software, steal sensitive data, or cause some form of damage or disruption.
Hackers may also use brute force attacks for penetration testing, to check how secure an organization’s network is, prior to launching a fully-fledged cyberattack.
There are many different types of brute force attacks. Here are the most common ones.
This is the most low-tech form of brute force attack. The hackers attempt to guess the correct password manually, without any assistance from scripts or applications. This method works best when users have obvious usernames and passwords like “12345.”
This type of brute force attack is associated with the term “exhaustive search”, as the hacker must try every possible password until the correct one is found.
As you can imagine, brute forcing in this way can be very time consuming, with many failed attempts.
In a dictionary attack, words in a dictionary are tested to find a password. These words may be combined with numbers and symbols in order to crack more complex passwords. Dictionary attacks can be done using password cracking tools that test the most logical combinations, which is much faster than testing all possible combinations, and requires less computing power.
Hybrid brute force attacks are a combination of simple brute force attacks and a dictionary attack. The dictionary provides the words, and the hacker then uses trial and error, adding or replacing characters or numbers manually to try out all possible passwords.
Reverse brute force attacks, also known as password spraying, involve taking a popular, simple password and trying it out against as many different usernames as possible, not targeting any user in particular. Like its name, a reverse brute force attack is the reverse of a typical brute force attack, where a hacker is targeting a particular username and trying to guess the correct password.
A rainbow table attack is one where the hacker uses a special kind of table called a rainbow table to crack password hashes in a specific database. When passwords are stored in a database, they aren’t stored in plain text – rather they are encrypted using a hash. When a user logs in, their passwords is converted to a hash and compared to the stored hash for authentication.
Hackers need to get access to hashes that have been leaked in order to carry out this type of brute force attack.
Rainbow table attacks can be avoided by double-hashing passwords, or through ‘salting’, in which an additional random value is added to a password to change the hash.
Credential recycling, or credential stuffing, is when a hacker reuses stolen credentials that were gathered during previous brute force attacks – they ‘stuff’ the credential into many different login forms.
With decades of successful brute force attacks, hackers have plenty of credentials to play with. Often, such credentials are sold on the dark web.
This type of attack works because users frequently re-use the same usernames and passwords for each password protected account they own.
Here are some tips for how to prevent brute forcing.
Those who use simple or common passwords become easier targets for brute force attacks. For organization, there should be a strict password security policy and awareness training to ensure users are not using weak passwords.
Here are some guidelines for creating the best passwords:
Two factor authentication, or multi factor authentication, involves using more than one type of authentication to gain access to a system.
In addition to asking for a password, the user may need to use biometrics, such as a fingerprint, or they may be asked to enter a code sent to their cellphone, to confirm their identity.
Users who use the same password for many different password protected accounts are most likely to fall victim to brute force attacks. The hacker only has to guess one password, and they are then able to access a user’s other accounts using the same user credentials.
Using longer passwords decreases the likelihood that a hacker will be able to guess it, even using automated tools. This is especially true when the password include multiple words, characters, and numbers, in line with the guidelines mentioned earlier.
A password manager creates and manages complex and unique passwords for users. This makes it much easier to manage multiple accounts without needing to remember different passwords, and also ensures the passwords are as complex as possible, so that they are far harder to guess using brute force attack tools.
Applications and websites should never allow unlimited login attempts, and should inform users of a suspicious login attempt, such as one from a different location or at an unusual time of day. Many websites already take such action, locking users out of their accounts for a specific amount of time after a number of unsuccessful login attempts.
Website admins should use a plugin that will block IP addresses if they go over the allowed number of login attempts.
Websites and applications can use CAPTCHAs or similar tools that prevent brute force attacks performed by bots.
An intrusion detection system can be set up to detect brute force attempts. This can be combined with multi-factor authentication to ensure these brute force attacks fail.
In general, allowing remote access can present a significant security risk – which is a challenge in a time where remote work is becoming more popular. For example, hackers can use Windows’ Remote Desktop Protocol (RDP) to perform a brute force attack.
You can reduce the risk of a brute force attack by setting up a VPN gateway for encrypted remote connections. With a VPN, all traffic is kept away from the local network. The VPN encrypts data in-transit, and hides your IP address, hackers can’t steal any personal information which they could later use for a brute force attack.
It’s tempting to think that a VPN increases network security to a point where threats like brute force password attacks are no longer relevant. Can a password be brute forced when using a VPN? Unfortunately, yes.
If you don’t use a strong password for your VPN, or you don’t follow the other general guidelines for avoiding brute force attacks, hackers can easily gain access to a VPN in the same way they can gain access to any other application – whether it’s through trying different passwords combinations, or using more sophisticated tools to figure out the password or encryption key.