What Is a Brute Force Attack?
The brute force attack is arguably the simplest form of all cyber attack and hacking methods. The main idea behind is fairly simple: if we have an unlimited amount of chances to guess a password, we’d guess right eventually.
So, a brute force attack is an attempt to guess something using a trial and error approach, hoping to guess correctly eventually. It is most commonly used to guess passwords, but we can also use it to guess username, encryption key, or even a hidden web page. Once the account is breached, the attacker can steal sensitive data, execute an even larger attack, and even shut down the system altogether.
A brute force attack can take anywhere from just mere seconds (if the attacker is lucky), but can also last for many years. According to IBM, many websites and systems are targeted by the same hackers every single day for months and even years.
Different Types of Brute Force Attacks
Although the concept of the brute force attack is fairly simple—as discussed above—, there are actually many different variants of this attack, each with the aim of increasing its potential success rate. Below are the most common types of brute force attacks:
Basic Iterative Brute Force Attack
The basic form of brute force attack, where the attacker iterates through all possible passwords modifying one character at a time. Since most login pages now limit the number of attempts, it’s typically ineffective and is more commonly used on local files.
“Dictionary” Brute Force Attack
The attacker uses a list of common passwords and phrases instead of randomly guessing the password. With time and more attempts, the attacker will build a “dictionary” of sorts and iterate through them. There are a lot of words that are commonly used for passwords, and so if the attacker is lucky, this approach can improve the success rate.
Hybrid Brute Force Attack
A hybrid attack uses both the dictionary attack and the basic iterative pattern. This method will perform modifications to words in the dictionary list, one at a time.
How To Prevent Brute Force Attack
1.Implement Stronger Passwords
This is fairly obvious, but still, often overlooked by many people. The stronger the password is, the more difficult the brute force attack can crack it.
A strong password must be:
- Hard to guess
The password shouldn’t be related to your personal information (like your birthday, spouse’s name, etc. ), or else when your personal information is stolen, it can be used for credential stuffing attack.
The password should be at least 12 characters long and consists of the combination of both uppercase and lowercase letters, numbers, symbols, and spaces. Nowadays, however, we can use various random password generators, like lastpass. There are also various password management tools to help manage the randomized passwords of your whole team.
As mentioned, the password should be at least 12 characters long. Longer passwords mean more possible combinations before the brute force attack can guess it. If the password is only 8 characters long, it is obviously easier to guess than when the password is 20 characters long.
In general, use the full-length password that is supported by the platform or website. Again, we can use random password generators and various password auto filler or password management tools if you feel the long password is difficult to remember.
Avoid reusing passwords on different websites. If your credentials on one website or platform are compromised, the attacker can more easily target you and steal more accounts. Again, there are various tools that can help you here, so make sure to make the most of them.
2. Use CAPTCHA to Prevent Automated Attacks
Since brute force attacks can take a long time and might require thousands and even millions of attempts, it is commonly attempted by a bot or automated software. So, a CAPTCHA is a program that allows you to distinguish between computers and humans and is particularly effective in stopping automated brute force attacks.
The main principle of Captcha is fairly simple: it presents a simple test that is (and should be) easy for humans to pass, but difficult for computers and AI to answer. So, in an effective CAPTCHA, human users must be able to answer the test as close to 100% of the attempts as possible, while at the same time the automated systems should fail as close to 100% of the attempts as possible.
A sophisticated program can still brute-force the CAPTCHA and ‘guess’ the solution. However, this can add another layer to prevent the brute force attack and prevents the
So, implementing a captcha on your website’s login system can be a very affordable and yet effective measure against brute-force attacks.
3. Limit Attempts
A very obvious approach to stop brute-force attempts is to lock out accounts after a certain number of incorrect attempts. The account lockout can last a specific duration or until the real owner can verify their identity (via 2-factor authentication or otherwise). If it’s a crucial account, we can set that the account will remain locked unless it’s manually activated by an admin.
However, there are several drawbacks to this approach:
- The attacker can abuse this and lock-out all user accounts. This is why many big websites and platforms that are constantly targeted by brute-force attacks cannot implement account lock-out policy.
- With the above approach, the attacker can flood the help desk with support calls by locking out many accounts.
- The website can’t lock out an account that doesn’t exist in the first place. So, attackers could use this policy to find out legitimate usernames from the site.
- Ineffective against ‘slow’ brute force attacks that try only a few passwords every hour or even every day
- Ineffective in brute-force attacks where the attacker only try one password for usernames (which is a common technique).
- Most systems don’t lockout administrator account but at the same time admin accounts are the most often attacked
That’s not saying account lockout is completely ineffective. You can certainly use it in controlled environments like if your company’s website is not a common target of brute force attack, or on the other hand if the risk of a compromised password is so great that semi-DoS attack through account lockout is preferable.
If you do want to implement account lockout policy, however, make sure to design the system carefully, including careful usage of error responses so attackers can’t differentiate between legitimate usernames and accounts that don’t exist, among other reasons.
Using Two-Factor Authentication (2FA)
Two-factor authentication is, simply put, asking for a second factor (the second piece of information) besides password (username). It can be something like:
- Something you know: a PIN, a secret question and answer, a visual pattern, etc.
- Something you have: a dongle or token, NFC chip on your smartphone, a key, etc.
- Something you are: face ID, fingerprint, retinal scan, and voice recognition
2FA is a very important method to defend against brute-force attacks because now the password alone is not enough to access the account. Also, two-factor authentication is effective against other types of attacks like keylogger attacks, phishing, and others.
Including 2FA might not be practical for all businesses, but including this option as extra security can be a very effective line of defense against brute force attacks.
While due to the nature of the brute force attack, there’s no effective means to 100% eliminate the risk (since a persistent attacker with an unlimited amount of time will eventually break-in), implementing the techniques we have discussed above can significantly minimize the risk.
If you put enough defenses and don’t allow yourself to be easy prey, brute force attackers might simply turn away to another target.