Passwords alone do not protect user accounts, but you can.
Setting a common password just for the sake of it gives you a disguised assurance of security. But, passwords are often predictable, making you an easy target for brute force attacks.
Brute force attacks attempt to steal or decrypt your sensitive information or infect systems with malware by cracking user credentials or encryption keys. Security solutions like multi-factor authentication (MFA) systems put up a solid defense to safeguard user accounts against brute force attacks.
You can implement MFA for users as the first line of defense and enrich it with various preventive measures.
What is a brute force attack?
A brute force attack is a systematic approach of checking possible combinations of user IDs and passwords to infiltrate an authentication system and login successfully to a web application or an operating system.
Brute force attacks are not limited to only user IDs and passwords. In general, brute force attack refers to the number of attempts made to reveal sensitive information through a consistent trial and error process. They also include guessing and validating plausible encryption keys created during password setting, popularly known as exhaustive key research.
Attackers primarily use brute force attacks for password cracking (i.e., exploiting vulnerabilities in set passwords and gaining unauthorized access). This type of cyber attack penetrates authentication mechanisms and allows malicious hackers to access your IT assets.
Brute force attacks are cryptanalytic attacks that are used when attackers can't find vulnerabilities that they can easily exploit. It doesn't make sense for an attacker to make significant efforts to exploit a vulnerability that may not deliver the expected benefits.
In such scenarios, brute force attacks become a potential instrument of choice for attackers because they are easier to perform and can deliver substantial unethical benefits if carried out successfully. Attackers automate the password guessing process with a set of login IDs and passwords and reap the benefits by cracking the authentication and encryption protocols.
Short passwords are easier and relatively faster to guess in the attack process, but longer passwords can take up a substantial amount of time and computing power.
Why do hackers conduct brute force attacks?
Cybercriminals usually conduct brute force attacks to uncover your sensitive information and gain access to your system. The intent behind an attack can be to use your information to gain access and converge a much larger cyber attack on your assets or organization.
of data breaches caused by hacking in 2020 involved brute force or the use of lost or stolen credentials.
Hackers can conduct an attack to brute force passwords or passphrases, making your accounts and networks vulnerable to a data breach. Harvesting user credentials for third parties can also be a possible goal of a brute force attack. These credentials might be used later to gain unethical benefits of the victim's data or damage their public reputation.
Threat actors can use brute force attack to conduct social engineering attacks by sending phishing emails through compromised user accounts.
When do hackers use brute force attack?
Malicious hackers generally take the brute force attack route when they have ample time to victimize their target. A brute force attack can be a time-intensive and lengthy process. It involves running through several possible password combinations or encryption keys.
As the user credential’s string length increases, so does the expected time to crack. It's a slow but plain sailing process. Given sufficient time, an attacker can conduct a brute force attack to crack password-based systems and access victims' assets without exploiting technical vulnerabilities.
Types of brute force attacks
There are various techniques that an attacker can use to converge a brute force attack. You should have a reliable defense mechanism to protect yourself from being attacked.
Simple brute force attacks
A simple brute force attack involves an attacker making logical guesses to crack your authentication system. These aren't assisted by software tools but are based on the details they might have on you.
For example, checking "name12345," or "name@123" and several other variations as number and character passwords. For personal identification number (PIN), an attacker might run through your birth year or birth year in reverse order and similar numbers relevant to you or your family.
Hybrid brute force attacks
Attackers guess possible passwords beyond the scope of their logic to conduct a hybrid brute force attack by thinking combinations of common (or trending) words with random characters. It includes checking passwords like "marvel2020" or "bitcoin36000" and similar variations.
It starts from external logic to identify potential passwords and continues with a simple approach to try and test several possible combinations.
Reverse brute force attacks
Reverse brute force attacks begin with a known password and testing it against multiple user IDs. Attackers generally use leaked passwords shared on the internet as a stepping stone to find matching user IDs to access a target’s assets.
In reverse brute force attack, an attacker isn't targeting a specific user but finding a user ID for a particular password.
Credential stuffing abuses the fact that many users can have the same usernames and passwords across multiple systems. Attackers use pairs of breached usernames and passwords on various websites to find a successful match.
Attackers utilize credential stuffing to take over user accounts. When they get user credentials spilled from data breaches or password dumping sites, they check them against several websites like social media platforms or online marketplaces. The attacker can steal your credit card details, social security numbers, and other sensitive data to carry out new nefarious activities on finding a successful match.
A dictionary attack requires an attacker to use ordinary words (as they are in a dictionary) paired with a typical sequence of numbers or special characters in password cracking. Attackers might use a standard dictionary or a unique dictionary crafted for malicious purposes. For example, they might check passwords like steam, steel, steep, etc.
Dictionary attacks often turn out to be successful because users have an inherent tendency to use day-to-day words in their passwords.
Rainbow table attacks
Rainbow table is a precomputed dictionary of passwords and their hash values. In a system, passwords aren't stored as plain text but are hashed using encryption. When a user enters the passwords, it's converted into its corresponding hash value and is verified with the stored hash. If there is a match, the user gains access to their accounts.
An attacker leverages a rainbow hash table to crack passwords in a rainbow table attack. Since more the one text can have identical hash values, knowing the actual password isn't necessary as long as an attacker can authenticate with the hash.
While rainbow table attacks take ample preparation time, the actual attacks are much faster as the algorithm trades increase space usage with decreased time.
Brute force attack examples
Brute force attacks' end goal is to steal data or disrupt service delivery. As a result, these attacks have become a significant threat to an organization's security posture.
Some notables examples of brute force attacks from recent history are:
- In 2013, GitHub became a victim of a brute force attack, where several securely stored passwords were compromised. It was identified the brute-force login attempts were made from approximately 40,000 unique IP addresses.
- Club Nintendo was targeted with a brute force attack that affected 25,000 forum members in 2013. Attackers made 15 million brute-force attempts to crack user accounts.
- Alibaba's TaoBao, in 2016, suffered a brute force attack where 21 million user accounts were compromised. Attackers used a database containing close to 99 million usernames and passwords to brute force existing TaoBao user accounts.
- Mozilla Firefox's master password feature became a victim of a brute force attack in 2018. The number of user credentials that were exposed is unknown. In 2019, Firefox introduced a fix to resolve this issue.
- In 2018, Magento was hit by a brute force attack that compromised close to 1000 admin panels.
Brute force attack tools
Brute force attacks are conducted with the help of automated tools that check user credentials until a successful match is found. With many possible usernames and passwords, manual testing gets tricky. Consequently, attackers leverage automation to expedite the guessing process in such situations.
Here are some famous examples of brute force attack tools*:
- THC Hydra cracks network authentication by performing a dictionary attack against more than 30 protocols (HTTP, FTP, HTTPS, etc.).
- Aircrack-ng performs brute force attacks on Wi-Fi 802.11 and is used to crack Wi-Fi passwords with the help of WEP/WPA/WPA2-PSK cracker and analysis tools.
- John the Ripper is used to crack weak passwords and penetrate password-based systems. It supports 15 multiple platforms like Unix, Windows, DOS, etc.
- Rainbow Crack generates rainbow tables to perform brute force attacks and helps reduce the attack's time span.
- L0phtCrack is used to crack windows passwords with dictionary attacks, hybrid attacks, and rainbow tables.
* These tools should only be used for ethical purposes to test and strengthen systems against brute force attacks.
How to detect a brute force attack
Attackers can carry out brute force attacks with many variations. You need to set preventive measures and enforce them to defend yourself against such attacks.
Here are some of the signs that might suggest a brute force attack:
- Several unsuccessful login attempts from one IP address
- Login requests coming for a single user account from multiple IP addresses
- Logins with multiple usernames from the same IP address
- Logins with a referring URL of someone's mail or IRC client
- Questionable usage and bandwidth consumption from a single-use
- Unsuccessful login attempts made from alphabetical or sequential usernames or passwords
- Referring URL to password-sharing websites
With early detection and proper preventive measures, organizations can limit their exposure to brute force attacks.
How to prevent brute force attacks
Brute force attacks work on a trial and error basis, and there’s no technical vulnerability that gets targeted. Due to this, you need to follow security best practices to protect your assets against brute force attacks instead of solely strengthening your defense mechanisms.
Enforce strong and unique passwords
Creating strong passwords that are unpredictable and unique puts up a strong defense against brute force attacks. For example, a lengthy and complex password will be difficult to guess compared to a parent's name and birth year in a password.
Ensure that you have different passwords for multiple user accounts. Using similar user credentials for all accounts makes it easy for attackers to exploit and extract sensitive information from all accounts.
Lock user accounts
A series of failed login attempts in user accounts might indicate a possible brute force attack. You can lock such user accounts for a specific duration or unlock them with the administrator's permission.
Account lockouts must be performed in a controlled manner. They can easily lead to denial of service when brute force attacks are conducted at scale. In such situations, account lockouts with progressive delays are suitable solutions, i.e., for every set of failed login attempts, the time span of account lockouts is progressively increased.
You need to look out for situations where account lockouts might be a less effective choice:
- Slow brute force attacks where only a few login attempts are made in a fixed time span.
- Reverse brute force attacks where one password is checked against multiple usernames.
- Multiple account lockouts, causing a rise in support demands from the IT helpdesk and using it as a diversion to conduct a bigger cyber-attack.
Account lockouts are suitable in a place where the risk is higher than the denial of service. Enterprises can use intrusion detection and prevention systems to set custom rules to restrict IP addresses and conduct account lockouts in a controlled manner.
Employ two-factor authentication (2FA)
Two-factor authentication is widely used as the first line of defense against brute force attacks. It requires a user to prove their identity twice, reducing the risk of a security breach even when an attacker gets a successful password match.
Most hackers (except a few persistent ones) will step aside and search for easier targets. But you should ensure that you have different user credentials for other accounts (email, security software, etc.) to prevent hackers from gaining access to them and get past the 2FA.
Monitor server logs
Carefully analyze all server logs as they are an essential data source for recognizing diverse patterns of brute force attacks. Based on these logs, you can gain insights to plan your future defense strategies and ensure account or network security.
Security information and event management (SIEM) systems serve as an excellent solution to store, monitor, and analyze all logs centrally. In cases of account compromise, SIEM systems will help you gather digital forensic to initiate an incident response plan.
CAPTCHA works by testing a user to pass a simple challenge difficult for a computer. For example, asking a user to count the number of yellow pens in an image is easy. Still, it can be a puzzle for a machine to interpret the image.
Even though CAPTCHA increases the number of steps a user takes to access a user account, it's highly beneficial for ensuring account security. It can waver a user's experience, but it enriches their trust by protecting sensitive information from automated brute force attacks and bots.
Double down on prevention
Adopt the best prevention techniques and build the required security tech stack to safeguard your systems from brute force attacks and maintain cybersecurity.
If an attacker manages to penetrate authentication systems even after enforcing preventive measures, initiate your incident response plan to control and restrict the damage they can cause.