What is a Brute Force Attack?
A brute force attack is a method threat actors use to compromise accounts and identities by guessing passwords, credentials, encryption keys, or other relevant information. This attack involves making simple guesses until the correct combination is found.
While brute-forcing is a straightforward hacking method for gaining access, it is important to acknowledge that it can also prove to be an exceptionally time-consuming endeavor. For instance, a brute force password attack tends to be the least efficient type of password cracking method.
GPU accelerators or botnets can reduce the time it takes to find the right login\password combination. Additionally, to speed up and systematize this process, various libraries, databases, and password dictionaries are used. However, complex passwords containing special characters will still take a long time to crack.
A typical brute force attack involves using specialized software. For example, when attempting to attack a mail server, this software checks a massive list of credential pairs on the targeted account. If the software successfully guesses the correct credentials, it stores them in memory or sends them to the attacker. The attack then continues to guess the keys to other accounts until all the credentials have been "checked" or the user-defined limits are reached.
What Systems Do Brute-Force Attacks Target?
Generally speaking, brute-force attacks target both remote and local systems.
When targeting remote systems, brute force attacks are frequently executed through botnet networks, which consist of infected devices organized into a single system that can number in the thousands or even millions. Using botnets to attempt to log into accounts helps spread the attack over time and also utilizes multiple IP addresses and device IDs. These characteristics make such an attack challenging to defend against.
When launching brute force attacks locally, attackers sometimes attempt to crack an encrypted zip file containing sensitive information they have intercepted and saved on their computer.
The fundamental parameters for a brute force attack are the size of the library and the speed of password guessing. In the absence of protective measures, the attack speed is limited by the capabilities of the malware being used, as well as the capacity of the hacked service to withstand the load.
Brute force attacks are widespread primarily because they require minimal skills to execute. A threat actor need only install special software, download a login\password database, configure the program's parameters, and wait for the results.
When it comes to professional attacks carried out by highly skilled hackers, brute force attacks are just one of many methods they might use. If the attack does not quickly yield results, the attacker will move on to other attack vectors.
Brute Force Attack Success Factors
Brute force attacks can be surprisingly effective, mainly because the most commonly used passwords are incredibly easy to guess. People often find it challenging to keep track of multiple passwords, which leads them to use simple and easy-to-remember passwords. As per NordPass, the most frequently used passwords in 2022 were:
Around 65% of people admit to reusing passwords. Additionally, 43% of people have shared their passwords with someone else. Alarmingly, only 45% of people would change their password after a breach.
Despite the existence of various methods and tools that minimize attempts to crack passwords using brute force attacks, many users and organizations ignore them. One of the primary reasons for this is security measures (like multi-factor authentication) can sometimes slow down the authentication process or make it less convenient.
Software Tools Used for Brute Force Attacks
Manually picking passwords is a time-consuming and ineffective method. This is why hackers use specialized applications and algorithms for brute force attacks. These programs automatically send requests with various passwords. They can also generate passwords. The program stops once it finds a password matching the correct credentials.
There are numerous password cracking tools out there. While many of these tools are created by black-hat hackers for malicious purposes, some are also utilized by white-hat hackers in legal activities such as penetration testing and red teaming. Here are some of the popular tools:
- Burp Suite
- John the Ripper
Different Types of Brute-Force Attacks
Here are the most common categories of brute force attacks.
Simple brute force attack
To automate password cracking, simple programs and scripts are often utilized. They can make several hundred guessing attempts per second. As a result, simple passwords that lack special characters and consist only of letters or numbers can be guessed within a few seconds or minutes. The password-cracking speed can be multiplied using a GPU or building a high-performance cluster. As far back as 2012, a researcher used a computer cluster that could make 350 billion guesses per second.
A dictionary attack is a technique that relies on a database filled with common words and phrases often used as passwords. This approach is generally faster than a simple brute force attack, as it focuses on the most likely password options first. Passwords leaked from different services by hackers are now being actively incorporated into these dictionaries. As a result, any data breach can potentially contribute to the growth of databases used in dictionary attacks. Some dictionaries are publicly accessible, while others are sold on the dark web and contain extensive and up-to-date databases with many password options.
When a hacker combines a dictionary attack with a simple attack, it is called a hybrid attack. Many people add numbers to their passwords, such as birth year, graduation date, or another significant event. Usually, there are up to four numbers. An attacker might start with a dictionary list and then append or prepend numbers or special characters to each word.
In a credential stuffing attack, the hacker uses usernames and passwords that were exposed in previous data breaches to try and gain access to other accounts. This type of attack is successful because many people use the same password across multiple platforms. If a hacker has access to one account's information, there is a chance they can use that information to log into the same user's other accounts on different websites.
Instead of trying different passwords for a single username, a reverse brute force attack uses a single password, or a small set of passwords, against a large number of usernames. This approach is quite effectivce. Information security services regularly publish lists of popular passwords, and these ratings demonstrate that many people who do not know each other are using the same passwords.
Rainbow table attack
Passwords in computer systems are often stored in an encrypted form. When a user enters a password, it is converted into a hash value and compared to the stored hash. A rainbow table attack uses precomputed tables of hash values for possible passwords, allowing an attacker to look up the hash of a password to find its corresponding plaintext value.
Distributed brute force attack
In this type of attack, cybercrooks use multiple machines or devices to simultaneously carry out the attack, often with the help of a botnet. This approach can significantly accelerate the process and make it more difficult for the targeted system to detect and block the attack.
In this type of attack, the hacker uses a brute force approach to access a specific user's account. Using both OSINT and spyware, cybercriminals try to gather as much information about the victim as possible, including possible login credentials and personal details. Then, they input the target resource address into a program along with a specially crafted login\password dictionary. If the user's password is based on personal information and is not very long, the attack can be successful in a short amount of time.
Defending Against Brute Force Attacks
So, what are the best, proven methods for defending accounts, identities, and systems from brute force threats?
- One of the most effective ways to protect a user account from brute-forcing is to enable multi-factor authentication (MFA), if it’s available. This method ensures that even if a hacker knows the password, they still cannot access the account without the second auth factor.
- Another effective method is to create a strong password that includes a mix of upper- and lower-case letters, numbers, and special characters and is at least 12 characters long. It is important to make your password as difficult as possible. Research shows that passwords with up to seven characters are cracked in 77% of cases, and if there are ten characters, the volume of successful hacks drops to 6%. To make things easier, you can use a password generator tool to create strong and unique passwords.
- Simply having a very long password will not guarantee protection against phishing attacks, exploiting software vulnerabilities, or other hacking methods. That is why it is recommended to change your password regularly, as often as possible.
- Use unique usernames and passwords for different accounts.
- It is challenging to remember many complex passwords. So, it is recommended to use password managers. These tools can generate and securely store strong and unique passwords for all your accounts. Privileged password management solutions should be implemented to automated password security best practices for both human and machine privileged account passwords and secrets, which pose the greatest threat, if compromised
- Introduce multi-factor authentication mechanisms.
- Enforce strong password requirements. Basic requirements include the minimum number of characters, requiring the use of both upper and lower case letters, limiting the number of repeated characters, and including numbers and special characters.
- Another effective way to increase the time it takes for password brute force attacks is to use CAPTCHA. This method can help verify the login attempt is made by a human rather than an automated bot.
- To prevent illegitimate login attempts, establish rules and patterns for identifying them. You can create a blocking algorithm based on various metrics, such as the source IP address, user agent, cookie value, number of incorrect login attempts, and their frequency. AI-powered technologies offer plenty of ways to simplify this task. Another effective method is to implement a time delay between login attempts, which can help to slow down automated attacks.
- Delete inactive accounts. By deleting inactive or orphaned accounts, you can minimize the number of potential targets for hackers.
- Use IDS/IPS systems. An intrusion detection system (IDS) monitors network traffic and can identify patterns and anomalies indicative of a brute force attack. It can then generate alerts or notifications to security personnel, who can take action to investigate and block the attack. An IPS can go one step further by automatically blocking suspicious login attempts, preventing the attacker from accessing the system altogether.
- Implement ITDR. The emerging discipling of identity threat detection and response (ITDR)v combines threat intelligence, detection, and response orchestration to rapidly break through the data noise to stop attacks.
Minimizing Your Vulnerability to Brute Force Attacks
Brute force attacks remain a constant threat due to their simplicity and the widespread use of weak passwords. Although these attacks are just one of many methods hackers employ, their continued success highlights the need for users and organizations to prioritize robust security measures.
By identifying and rooting out poor password practices, automating password management, and implementing multiple layers of authentication security, organizations can vastly minimize the attack surface for brute force threats.
Uncover and report on the biggest privileged account password threats within your organization with this free tool.
Alex Vakulov, Guest Blogger
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He writes for numerous security-related publications, sharing his security experience.