June 25, 2021
by Sagar Joshi / June 25, 2021
Passwords alone do not protect user accounts, but you can.
Setting a common password just for the sake of it gives you a disguised assurance of security. But, passwords are often predictable, making you an easy target for brute force attacks.
Brute force attacks attempt to steal or decrypt your sensitive information or infect systems with malware by cracking user credentials or encryption keys. Security solutions like multi-factor authentication (MFA) systems put up a solid defense to safeguard user accounts against brute force attacks.
You can implement MFA for users as the first line of defense and enrich it with various preventive measures.
A brute force attack is a systematic approach of checking possible combinations of user IDs and passwords to infiltrate an authentication system and login successfully to a web application or an operating system.
Brute force attacks are not limited to only user IDs and passwords. In general, brute force attack refers to the number of attempts made to reveal sensitive information through a consistent trial and error process. They also include guessing and validating plausible encryption keys created during password setting, popularly known as exhaustive key research.
Attackers primarily use brute force attacks for password cracking (i.e., exploiting vulnerabilities in set passwords and gaining unauthorized access). This type of cyber attack penetrates authentication mechanisms and allows malicious hackers to access your IT assets.
Brute force attacks are cryptanalytic attacks that are used when attackers can't find vulnerabilities that they can easily exploit. It doesn't make sense for an attacker to make significant efforts to exploit a vulnerability that may not deliver the expected benefits.
In such scenarios, brute force attacks become a potential instrument of choice for attackers because they are easier to perform and can deliver substantial unethical benefits if carried out successfully. Attackers automate the password guessing process with a set of login IDs and passwords and reap the benefits by cracking the authentication and encryption protocols.
Short passwords are easier and relatively faster to guess in the attack process, but longer passwords can take up a substantial amount of time and computing power.
Cybercriminals usually conduct brute force attacks to uncover your sensitive information and gain access to your system. The intent behind an attack can be to use your information to gain access and converge a much larger cyber attack on your assets or organization.
80%
of data breaches caused by hacking in 2020 involved brute force or the use of lost or stolen credentials.
Source: Verizon
Hackers can conduct an attack to brute force passwords or passphrases, making your accounts and networks vulnerable to a data breach. Harvesting user credentials for third parties can also be a possible goal of a brute force attack. These credentials might be used later to gain unethical benefits of the victim's data or damage their public reputation.
Threat actors can use brute force attack to conduct social engineering attacks by sending phishing emails through compromised user accounts.
Malicious hackers generally take the brute force attack route when they have ample time to victimize their target. A brute force attack can be a time-intensive and lengthy process. It involves running through several possible password combinations or encryption keys.
As the user credential’s string length increases, so does the expected time to crack. It's a slow but plain sailing process. Given sufficient time, an attacker can conduct a brute force attack to crack password-based systems and access victims' assets without exploiting technical vulnerabilities.
There are various techniques that an attacker can use to converge a brute force attack. You should have a reliable defense mechanism to protect yourself from being attacked.
A simple brute force attack involves an attacker making logical guesses to crack your authentication system. These aren't assisted by software tools but are based on the details they might have on you.
For example, checking "name12345," or "name@123" and several other variations as number and character passwords. For personal identification number (PIN), an attacker might run through your birth year or birth year in reverse order and similar numbers relevant to you or your family.
Attackers guess possible passwords beyond the scope of their logic to conduct a hybrid brute force attack by thinking combinations of common (or trending) words with random characters. It includes checking passwords like "marvel2020" or "bitcoin36000" and similar variations.
It starts from external logic to identify potential passwords and continues with a simple approach to try and test several possible combinations.
Reverse brute force attacks begin with a known password and testing it against multiple user IDs. Attackers generally use leaked passwords shared on the internet as a stepping stone to find matching user IDs to access a target’s assets.
In reverse brute force attack, an attacker isn't targeting a specific user but finding a user ID for a particular password.
Credential stuffing abuses the fact that many users can have the same usernames and passwords across multiple systems. Attackers use pairs of breached usernames and passwords on various websites to find a successful match.
Attackers utilize credential stuffing to take over user accounts. When they get user credentials spilled from data breaches or password dumping sites, they check them against several websites like social media platforms or online marketplaces. The attacker can steal your credit card details, social security numbers, and other sensitive data to carry out new nefarious activities on finding a successful match.
A dictionary attack requires an attacker to use ordinary words (as they are in a dictionary) paired with a typical sequence of numbers or special characters in password cracking. Attackers might use a standard dictionary or a unique dictionary crafted for malicious purposes. For example, they might check passwords like steam, steel, steep, etc.
Dictionary attacks often turn out to be successful because users have an inherent tendency to use day-to-day words in their passwords.
Rainbow table is a precomputed dictionary of passwords and their hash values. In a system, passwords aren't stored as plain text but are hashed using encryption. When a user enters the passwords, it's converted into its corresponding hash value and is verified with the stored hash. If there is a match, the user gains access to their accounts.
An attacker leverages a rainbow hash table to crack passwords in a rainbow table attack. Since more the one text can have identical hash values, knowing the actual password isn't necessary as long as an attacker can authenticate with the hash.
While rainbow table attacks take ample preparation time, the actual attacks are much faster as the algorithm trades increase space usage with decreased time.
Brute force attacks' end goal is to steal data or disrupt service delivery. As a result, these attacks have become a significant threat to an organization's security posture.
Some notables examples of brute force attacks from recent history are:
Brute force attacks are conducted with the help of automated tools that check user credentials until a successful match is found. With many possible usernames and passwords, manual testing gets tricky. Consequently, attackers leverage automation to expedite the guessing process in such situations.
Here are some famous examples of brute force attack tools*:
* These tools should only be used for ethical purposes to test and strengthen systems against brute force attacks.
Attackers can carry out brute force attacks with many variations. You need to set preventive measures and enforce them to defend yourself against such attacks.
Here are some of the signs that might suggest a brute force attack:
With early detection and proper preventive measures, organizations can limit their exposure to brute force attacks.
Brute force attacks work on a trial and error basis, and there’s no technical vulnerability that gets targeted. Due to this, you need to follow security best practices to protect your assets against brute force attacks instead of solely strengthening your defense mechanisms.
Creating strong passwords that are unpredictable and unique puts up a strong defense against brute force attacks. For example, a lengthy and complex password will be difficult to guess compared to a parent's name and birth year in a password.
Ensure that you have different passwords for multiple user accounts. Using similar user credentials for all accounts makes it easy for attackers to exploit and extract sensitive information from all accounts.
A series of failed login attempts in user accounts might indicate a possible brute force attack. You can lock such user accounts for a specific duration or unlock them with the administrator's permission.
Account lockouts must be performed in a controlled manner. They can easily lead to denial of service when brute force attacks are conducted at scale. In such situations, account lockouts with progressive delays are suitable solutions, i.e., for every set of failed login attempts, the time span of account lockouts is progressively increased.
You need to look out for situations where account lockouts might be a less effective choice:
Account lockouts are suitable in a place where the risk is higher than the denial of service. Enterprises can use intrusion detection and prevention systems to set custom rules to restrict IP addresses and conduct account lockouts in a controlled manner.
Two-factor authentication is widely used as the first line of defense against brute force attacks. It requires a user to prove their identity twice, reducing the risk of a security breach even when an attacker gets a successful password match.
Most hackers (except a few persistent ones) will step aside and search for easier targets. But you should ensure that you have different user credentials for other accounts (email, security software, etc.) to prevent hackers from gaining access to them and get past the 2FA.
Carefully analyze all server logs as they are an essential data source for recognizing diverse patterns of brute force attacks. Based on these logs, you can gain insights to plan your future defense strategies and ensure account or network security.
Security information and event management (SIEM) systems serve as an excellent solution to store, monitor, and analyze all logs centrally. In cases of account compromise, SIEM systems will help you gather digital forensic to initiate an incident response plan.
CAPTCHA works by testing a user to pass a simple challenge difficult for a computer. For example, asking a user to count the number of yellow pens in an image is easy. Still, it can be a puzzle for a machine to interpret the image.
Even though CAPTCHA increases the number of steps a user takes to access a user account, it's highly beneficial for ensuring account security. It can waver a user's experience, but it enriches their trust by protecting sensitive information from automated brute force attacks and bots.
Adopt the best prevention techniques and build the required security tech stack to safeguard your systems from brute force attacks and maintain cybersecurity.
If an attacker manages to penetrate authentication systems even after enforcing preventive measures, initiate your incident response plan to control and restrict the damage they can cause.
Sagar Joshi is a former content marketing specialist at G2 in India. He is an engineer with a keen interest in data analytics and cybersecurity. He writes about topics related to them. You can find him reading books, learning a new language, or playing pool in his free time.
A lot can happen between a login and a logout.
Security vulnerabilities are a consistent threat to cybersecurity.
Everyone wants to keep their information safe.
A lot can happen between a login and a logout.
Security vulnerabilities are a consistent threat to cybersecurity.