What are Brute Force Attacks?
The brute force attack definition is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN).
To illustrate, here’s what a brute force attack explained in a realistic scenario is.
If you’ve forgotten the three-digit combination for the lock on your suitcase, you can, if you have the patience, systematically try every combination of numbers starting at 000 and methodically work your way through to 999. One of those combinations must be the correct one.
A brute force attack against a network or computer is similar to this, except instead of trying combinations of digits, combinations of letters and numbers are used. A variation on this, and a technique that is more commonly seen in practice, is to use a very long list of actual passwords and to try them one at a time.
With the suitcase, it is obvious that one combination of three digits will work. With the brute force attack there is no guarantee that one of the passwords in the list will work, nor that the password will be stumbled upon by chance.
However, the longer the list of passwords, the more likely one of them will match the account’s password under attack. But there is a payoff. The longer the list the more time it takes to work through it. Password lists can be very long indeed.
Key Takeaways
- A brute force attack is a trial-and-error method used to obtain information such as a user password or PIN.
- Attack methods include traditional brute force attacks, password look-ups, intelligent look-ups, dictionary attacks, API attacks, and rainbow attacks.
- Protect against brute force attacks by using strong and unique passwords, MFA, account lockout policies, and CAPTCHAs.
- Brute force attack tools and software are designed to automate the guessing process and increase the attack’s efficiency.
- The rise in remote work during COVID-19 led to more brute force attacks due to lapses in security practices.
- Show Full Guide
Understanding Brute Force Attacks
Every time there is a data breach, the leaked passwords become available to the threat actors and they are added to the brute force password lists. Lists of leaked passwords and standard dictionary words are also used. This covers more combinations – and gives the attackers more chance of success – but adds to the time taken to work through the list.
The likelihood of a brute force attack being successful is predicated on three factors:
- Whether your password is unique.
- Whether your password has been involved in a data breach.
- Whether you use a password or a pass-phrase.
The details of over 10 billion compromised accounts are held on the Have I Been Pwned website. You can get a good idea of whether your password is unique or not by checking Have I been Pwned. You’ll probably find it in the database. With so many leaked accounts, it’s inevitable that there will be duplicates.
Of course, if your password is in the Have I Been Pwned databases, it doesn’t mean one of your accounts was compromised. It might mean that, but it can also mean someone else’s account was compromised, and they happened to use the same password as yourself.
Brute force attacks can be thought of as threat actors having copies of thousands and thousands of keys. They try them one at a time at your door. If one happens to match your door, they can gain access. Where the copy of the key came from is irrelevant.
You should never use a password in more than one place. If that single password is compromised, all your accounts are exposed to risk. If you have too many passwords to remember, use a password manager. A good template for a secure password is three unrelated words joined with punctuation, forming a passphrase.
How Brute Force Attacks Work
Brute force attacks are not an end in themselves. They are a stepping-stone in the threat actors’ larger plan. Many systems restrict the number of failed log-in attempts, making brute-forcing those systems more challenging. But the main targets for these types of attacks are not corporate networks – at least, not directly.
Remote user access technologies such as remote desktop protocol (RDP) or secure shell (SSH) should be configured with enforced timeouts after a given number of failed access attempts, or the account should be locked and a password reset enforced. Instead, brute force attacks target corporate portals, websites, hosted applications, and encryption keys or API keys to gain information from them that they can use to mount a secondary attack on the corporate network.
Gaining access to a corporate website allows the threat actor to access any files that are not encrypted. Mistakes during the design and implementation of the website can be exploited.
Brute Force Attack Example
For example, if the passwords are stored in plain text, the threat actors now have all of the IDs and passwords for that system, not just for the compromised account. Usually, that means they also have the administrator’s credentials. If the administration credentials are the same as the corporate network’s administrator credentials, the threat actors have successfully compromised the main network by attacking the less-well guarded website or hosted application.
Even if they don’t immediately gain any additional exploitable information, the threat actors can modify web pages and inject malicious functionality so that subsequent logins are recorded and the account credentials captured. They then revisit the website using the compromised account and retrieve the list of recently used IDs and passwords. Eventually, they will obtain the administrator’s credentials.
Trying to crack an Application Programming Interface (API) key is a different but similar type of attack. The threat actors aren’t trying to discover a password to a user account, they are trying to discover a key to access an API. If the treat actors can access the API, they will attempt to extract information through an abuse of the API’s functionality.
Semi-Intelligent Brute Force Attacks
Brute force packages are easy to locate and download, making them available for any cybercriminal who wants to use them. There are packages with specialisms, such as those that attack Wi-Fi networks or network devices such as firewalls, routers, and other managed appliances.
Pure password look-up brute force packages read through the password lists and methodically use the passwords one after the other, and do no more than that.
The more sophisticated brute force packages use each password from the password list as-is, then apply common transformations to the passwords, and try those too. They can work through permutations of the base password, substituting numbers for vowels following the common convention of using 1 for ‘i’, 3 for ‘e’, 4 for ‘a’, and so on. They also translate passwords into leetspeak, where Techopedia becomes “73ch0p3d14“.
Some brute force packages will also work through permutations of digits that some users like to add to the end of passwords to represent the current year, the year they were born, or other significant dates.
As you’ll appreciate, performing these transformations takes longer the more characters there are in the password that is being tried. Sophisticated brute force software will make use of the graphics processing unit (GPU) of the attacked computer to speed up the calculations that are required to work through the permutations.
Different Types of Brute Force Attacks
Brute force attacks can be categorized according to the different techniques they employ:
Motives Behind Brute Force Attacks
Despite their simplicity, brute force attacks are driven by various motives, each reflecting the attacker’s intent and the value of the targeted data.
The most common motive is to gain unauthorized access to personal or corporate accounts. Attackers often target email accounts, online banking, or social media profiles.
By cracking the password, they gain the same access as the legitimate user, allowing them to steal sensitive information, commit fraud, or even impersonate the user for malicious activities.
Another key motive is decrypting encrypted data. In cases where data is secured through encryption, the only way to access this information without the original key is to guess it – a perfect scenario for a brute force attack.
This method is particularly concerning for businesses and governments that regularly encrypt sensitive data.
Brute Force Attack Tools
Brute force attack tools and software are designed to automate the guessing process and increase the attack’s efficiency. Here are some of the most common tools:
Tool Name | Description | Typical Use |
---|---|---|
John the Ripper | A password cracker that automatically detects password hash types and employs dictionary and brute force attacks. | Cracking password hashes, testing password strength. |
Hydra | Focuses on attacking online applications by rapidly generating and testing passwords against various protocols and services. | Attacking web applications, network services, and remote authentication. |
Aircrack-ng | A tool for cracking Wi-Fi network passwords using weaknesses in the WEP/WPA/WPA2 security protocols. | Cracking Wi-Fi network passwords. |
Hashcat | An advanced password recovery tool, known for its speed and ability to crack many hash types using GPUs. | Password recovery for a variety of hash types. |
RainbowCrack | Uses a time-memory trade-off algorithm to crack hashes. It pre-computes tables of hash chains to significantly speed up the cracking process. | Efficient hash cracking by reducing computation time. |
How to Protect Against Brute Force Attacks
While no single defense is foolproof against a brute force attack, organizations can put in place measures that increase the time it will take for brute force attacks to succeed, or require additional user actions. This improves overall brute force attack prevention.
- Enable multi-factor authentication where possible. This adds something the user has – such as a cell phone or a USB key or fob – to the password. Both authentication methods must be present, meaning the password on its own is insufficient.
- Use robust passwords and passphrases that are unique, and stored in an encrypted form.
- Implement a password policy that instructs and guides staff members in password robustness, complexity, and uniqueness, and re-use.
- Limit log-in attempts to a small number of failed attempts in a given timeframe. Lock the account when the threshold has been reached, or force a password reset.
- Enable captchas or other image-based systems designed to prove the access attempt is being made by a human and not a bot.
- Consider using a password manager. A password manager will automatically generate complex passwords and make it easy to have a different password for every system.
Brute Force Attacks Pros and Cons
Brute force attacks, with their straightforward approach of trying every possible combination until the correct one is found, have distinct strengths and weaknesses. Understanding these can help in better preparing for and defending against these attacks.
- Highly effective against weak or commonly used passwords
- They don’t require a sophisticated understanding of the underlying system or exploit vulnerabilities other than the password’s strength
- Can be applied to any system that uses password-based authentication, making them a universally applicable method for attackers.
- More complex passwords take longer to crack
- Modern security systems can detect and block repeated login attempts, making brute force attacks harder
- Executing a brute force attack, especially on complex passwords, requires significant computational power
- The widespread use of CAPTCHAs, account lockout policies, and two-factor authentication (2FA) has made brute force attacks less successful
COVID-19 Prompted an Increase in Brute Force Attacks
With the rush to implement remote access systems to allow employees to work from home during the COVID-19 pandemic, security has often taken a back seat. The threat actors realized this, of course, and there has been an increase in the number of brute force attacks since the pandemic began.
Threat actors are nimble and can almost instantly exploit any new situation or major news story by re-deploying their existing threats. Brute-forcing is back in fashion.
This is a primary example of why you must remain diligent about security at all times–especially in times of crisis.
The Bottom Line
Brute force attacks highlight a critical vulnerability in digital security: weak passwords. Protecting against these attacks requires strong, complex passwords and the implementation of advanced security measures like 2FA. As attackers continually refine their methods, staying informed and adopting robust security practices is necessary.
The ongoing battle against brute force attacks demonstrates the need for a proactive cybersecurity approach. By understanding these attacks’ strengths and weaknesses, individuals and organizations can effectively fortify their defenses, keeping their digital assets secure against this persistent threat.
FAQs
What is a brute force attack in simple terms?
What is the difference between a password attack and a brute force attack?
Is a brute force attack effective?
What is a real-life example of a brute force attack?
Is it illegal to do a brute force attack?
How long can a brute force attack last?
How likely is a brute force attack?
References
- Have I Been Pwned: Check if your email has been compromised in a data breach (Haveibeenpwned)
- John the Ripper password cracker (Openwall)
- GitHub – vanhauser-thc/thc-hydra: hydra (Github)
- Aircrack-ng (Aircrack-ng)
- hashcat – advanced password recovery (Hashcat)
- Millions of Brute-Force Attacks Hit Remote Desktop Accounts | Threatpost (Threatpost)