Brute Force Attacks are a rudimentary but potentially effective way to gain unauthorised access to user accounts and systems. Due to their simplicity, these attacks are commonly attempted against systems that do not employ lockout policies or more sophisticated authentication measures, such as Multi-Factor Authentication. With today’s computational power, even complex passwords can be vulnerable to Brute Force Attacks, significantly when no mechanisms can slow or hinder the attack’s progress.
How brute force attacks work
The way brute force attacks work varies depending on the method used. In a simple brute-force attack, hackers attempt to guess your credentials without the assistance of software tools. This method can reveal simple passwords and PINs, but it will not reveal more complex passwords.
When a hacker chooses a target and runs different possible passwords against their username, it is called a dictionary attack. While dictionary attacks aren’t exactly brute force attacks, they are often used when password cracking. Hackers will run through dictionaries and change words by adding special characters and numerals or using special dictionaries. This type of attack has disadvantages, as it can miss complex or uncommon passwords that aren’t in their dictionary.
Hackers use a dictionary and their logical guesses in hybrid brute-force attacks. They are more likely to figure out passwords that mix common words with random characters.
There are also reverse brute force attacks, in which the hacker starts with a known password and searches millions of usernames until they find one that matches the password. Most hackers doing this type of brute force attack start with passwords leaked online from existing data breaches.
The final type of a brute force attack is credential stuffing. This attack relies heavily on people who reuse login information across many websites. With credential stuffing, when a hacker finds a username-password combination that works, they will try that combination on other websites.
How common are brute force attacks?
Over the years, brute force attacks have become more commonplace, with a 74% increase in 2021. This is largely due to the vast majority of people being now online, meaning that there is a lot of data contained on the internet. Not only that but with further developments in technology, hackers will gain more advanced tools that make bypassing cyber security defences much easier.
After the COVID-19 pandemic, we also saw increased employees working remotely. This means more and more people are using their personal networks to access company servers, leading to hackers seeing a golden opportunity to gain access to their login credentials. As time passes, we can be confident that we will not see an end to brute force attacks in favour of other tactics soon.
How to prevent brute force attacks
You can take some steps to reduce the risk of getting brute force attacked. Firstly, you should ensure all your passwords are unique and advanced rather than having something simple like “password123.” When you have stronger credentials, the chance of a hacker being able to figure them out is lower. On top of that, to prevent credential stuffing, you should not reuse passwords. Increase your security by having complex and varied passwords for all your accounts.
Another step you could take to prevent brute force attacks is to remove any unused privileged accounts. Leaving them leaves you very vulnerable to attack, as these accounts make breaking in easy. To remove the vulnerability, delete the accounts as soon as you can.
Brute-force attacks can also be mitigated by employing account lockout policies after several failed attempts, using captcha systems to prevent automated submissions, and implementing time delays between attempts. Application Developers should utilise the resources available, such as the Authentication Cheat Sheet provided by OWASP.
Key Characteristics:
- Trial-and-Error Method: An attack approach that systematically tries all possible combinations for a password.
- Simplicity: It can be used by attackers with varying skill levels and requires no sophisticated techniques.
- Time-Consuming: The attack’s success depends on the password’s complexity and length; more complex passwords require more time to crack.
- Potentially Effective Against Weak Security Measures: Systems that lack robust authentication protocols are susceptible to Brute Force Attacks.
Examples:
- Real-World Example: An attacker uses a Brute Force Attack to guess an email password by trying different combinations of letters and numbers until the correct password is identified.
- Hypothetical Scenario: A cybercriminal attempts to access a secure file by running a Brute Force Attack against its encryption key, trying every possible key combination until the right one decrypts the file.
Related Terms:
- Dictionary Attack: A type of Brute Force Attack that uses a list of pre-compiled guesses, often derived from lists of common passwords and phrases.
- Credential Stuffing: A related cyber attack strategy where stolen account credentials are used to gain unauthorised access to user accounts through large-scale automated login requests.
- Multi-Factor Authentication (MFA): A security measure that requires multiple methods of authentication, which can help prevent unauthorised access even if a password is compromised.