What Are Brute Force Attacks?
A brute force attack is when somebody runs through all possible password combinations to correctly guess login information. It is an old attack method but it is still effective and widely used amongst hackers.
Depending on the length and complexity of the password, however, password cracking in this way can take anywhere from a few seconds to many years. Hackers typically use a script, hacking application, or similar process to carry out continuous login attempts to get the information.
Why Attempt A Brute Force Attack?
Brute force attacks are considered less refined than other methods because it takes an indeterminate amount of time to crack passwords. So why would people still try this attack method? Here’s what can happen when malicious users gain access:
- Steal personal data and sensitive information – Online accounts are like bank vaults to hackers. Guess the correct password and they can steal your money and/or harvest your private credentials to sell for profit. At the corporate level, this unauthorised access can expose sensitive databases for entire organizations to massive data breaches.
- Spread malware to cause problems – Hackers can redirect a web domain to sites containing malicious content. Alternatively, they could also directly infect a site to install hidden malware onto visitors’ computers.
- Hijack your account for malicious activity – If a hacker manages to infiltrate your computer or mobile device, they can pose as you on your online accounts to send phishing links to all your contacts. Fake information can also be shared more effectively in this way since it seems to come from a familiar person.
- Damage a website’s reputation – If you or your company runs a website, a cybercriminal that has unauthorised access can deface your site with obscene or inaccurate content. This kind of vandalism can take the form of highly inappropriate text, images, and audio of a violent or pornographic nature.
Types of Brute Force Attacks
Hackers can perform brute force attacks using different methods. Your login information might already be compromised by any of the following brute force methods:
Straightforward Brute Force Attacks
Without using software tools or any other intelligent means, hackers simply attempt to logically guess your credentials. In this case, weak passwords and PINs like “1234”, “0000”, or “password1” are used. For real security, these extremely common passwords are not recommended for any kind of account.
Dictionary Attacks
The most basic brute force attack is a dictionary attack where a hacker runs through a dictionary of possible passwords against a target username. This type of attack is rather cumbersome to execute, especially for long and complex passwords, as the attacker would have to also try passwords with special characters and numerals.
Hybrid Brute Force Attacks
Hackers blend straightforward guessing with dictionary attacks to attempt a break-in. Hence, a hybrid attack type. These attacks are used to determine any passwords that combine common words with random characters. These usually look something like “London1999”, “BigBoy20”, or “ilovecats97”.
Reverse Brute Force Attacks
This is a password-cracking technique that works surprisingly well. Just as the name implies, it is a brute force attack that starts with a known password instead of a target username. What usually happens is hackers try out a password on several usernames until they find a match. If a data breach recently leaked a list of passwords onto the internet, you can bet cybercriminals will use this technique.
Credential Stuffing
Since most online users have multiple accounts for various reasons, they may reuse the same login information across many websites for convenience. Such easy access can be abused by hackers who possess a username-password combo for credential stuffing. If the login works for one website, they will try it on other sites as well.
How to Prevent Brute Force Attacks
For any user, the best defence against password cracking is to always have an advanced username and password. Brute force attacks depend on time to break-in so protect yourself with unique credentials. The more complex the combination, the harder it is for hackers to penetrate.
To avoid becoming a victim of brute force attacks, organisations and IT specialists should take the following precautions and measures for better network security systems.
- Implement two-factor authentication (2FA) – It’s safer to detect and prevent an unauthorised user than it is to actively stop an attack in progress. Administrators should make two-factor authentication mandatory. This system would require users to follow-up a login attempt with a second factor, like a fingerprint or face biometrics scan.
- Limit the number of login re-tries – By only allowing a certain number of login re-tries, this would seriously reduce the chances for a successful brute-force attack.
- Lockdown an account after excessive failed login attempts – Do not allow anybody to endlessly keep retrying passwords. Lockdown the account and require the user to contact IT for an unlock.
- Enable short lockout timers – The other alternative to slowing down an attacker’s effort is to create space between each set number of failed login attempts. For example, after 2 failed login attempts, a timer can deny login until 5 minutes have passed. This will leave time for your IT specialists, who are alerted to the threat, to work on stopping the unauthorised access.
- Require Captcha during login – Robots that can automatically run through millions of password combinations will face problems with manual verification. Regardless of what Captcha you use, such as retyping the text in an image, checking a checkbox, or identifying objects in pictures, having this for the login process will add an extra layer of security.
- Use an IP denylist. Once you detect and successfully stop the brute force attack, blacklist the IP address and prevent further attempts from the same device. Keep an IP denylist and have it constantly updated.
- Remove any unused accounts – In the case when employees resign from the company, their user accounts must be closed as soon as possible. If left unmaintained, these accounts can become security vulnerabilities, especially those with high-level permissions.
- Use high-bit encryption keys – System administrators must ensure all their web services that collect user information are encrypted with the highest encryption rates possible, such as 256-bit encryption. The more bits in the encryption scheme, the longer it takes to crack the code.
Related topic: Why is Encryption Important?
Do Not Neglect Brute Force Attack Prevention
No password is uncrackable for long. Businesses and organisations need to take a proactive approach to stop brute force attacks from happening.
Primary Guard provides Access Control Management products that are all designed to detect and prevent brute force attacks before any real harm is done. Since these attacks can occur on any website or platform that requires a password, we have various solutions ranging from SaaS application protection to rate limiting.
Contact Primary Guard today to get proper security for your Password Protection needs.