What is a brute force attack and are you at risk?

What Is a Brute Force Attack, and Are You at Risk?

‏‏‎ ‎

A brute force attack is when hackers use trial and error to guess login credentials, encryption keys, or some other hidden information. Hackers essentially work through all possible codes of characters in order until one of the combinations works.

The attack is called “brute force” because it is just an unsophisticated use of login attempts to get into an account. It is essentially an overwhelming attempt to “force” one’s way into a secured location.

This is one of the oldest forms of attacks, but it is still popular today. It can take anywhere from seconds to longer than the age of the Universe to crack a password using this method depending on the complexity of the chosen password and the amount of cloud computing resources put to use in the attack.

To prevent brute force and related attacks, you need to ensure your team is using long, complex, and random passwords. This is best accomplished using a password manager. 

TeamPassword keeps all your passwords safe and up to date so that they are there when you need them.

TeamPassword lets you safely share passwords with teammates while ensuring that your projects are safe.

‏‏‎ ‎

Sign up today for a free 14-day TeamPassword trial and protect your company's digital assets from cybercriminals.

‏‏‎ ‎

Types of brute force and related attacks

While the traditional brute force attack is unsophisticated and relies on cycling through all random combinations of permissible characters, meaning that the word “password” is equally safe (or not safe) as the combination “aT./$x6m”, in practice, brute force attacks are modified or combined with others making reused or common passwords far less safe. The following are some of the brute force and related attacks used today:

  • Simple brute force attacks
  • Dictionary attacks
  • Hybrid brute force attacks
  • Reverse brute force attacks
  • Credential stuffing

Simple brute force attacks

The simple brute force attack simply cycles through all possible passwords in order. As an overly simple example, if your login information allows only lowercase, six-digit passwords, then it would start at “aaaaaa”, go to “aaaaab”, and so on until hitting “zzzzzz.”

Dictionary attacks

Dictionary attacks are often used as the prelude to a brute force attack. They are not brute force attacks themselves, but in combination with a brute force, attack make it far more likely that the brute force attack will succeed. 

In these attacks, the hacker first tries all words in a dictionary. These dictionaries include not only the words you’d find in the Merriam-Webster dictionary but also variations of the words and lists of commonly used passwords as well. For example, instead of just “password,” you’d find “Password,” “p4ssw0rd”, “Pa55W0rd123”, and so on. 

This is why both complex and unique passwords are needed.

Hybrid brute force attacks

The hybrid attack is the mixture of the simple brute force attack and dictionary attack mentioned above. They are particularly good at finding common passwords that have been mixed with some form of padding.

Padding is when you take a password, e.g., “Password,” and then add a set of random characters to the end, e.g., “1.1/1.1/2.2/2.2”. While “Password1.1/1.1/2.2/2.2” is a much stronger password than either half separately, these hybrid systems will run a brute force method for cracking the padding behind common passwords.

Reverse brute force attacks

Instead of running through billions of potential passwords, the reverse brute force method uses a common password and then tries to find any account using that password. For example, knowing that the password “qwerty” is still disastrously common, the hacker will keep using that password while trying to find usernames of people who have unfortunately not updated their password thinking since the last millennium.

Credential stuffing

This method works with username-password combinations that have been pwned. Being “pwned” means that your credentials have been leaked online. 

Since many users reuse their login information on many sites, hackers will check a known password–username combination across hundreds of other sites in hopes that someone has reused their pwned credentials. 

In our quest to become more secure, passwords become less and less easy to remember. This leads to password reuse. Let TeamPassword take care of securely remembering your team’s passwords, so they don’t use the same passwords as on less secure sites.

‏‏‎ ‎

Sign up for a 14-day free trial, so TeamPassword can start protecting your network today!

‏‏‎ ‎

Tools that Aid Brute Force Attempts

It goes without saying that this isn’t being discussed to encourage password cracking, but just to see exactly what you are up against when trying to secure a network. Hackers have created an entire ecosystem of tools to aid them in their nefarious actions, and you should be aware of them to appreciate just how hard it is to maintain a secure network.

Automated tools help with brute force attacks.

Instead of manually entering every possible password, it is unsurprising that hackers have created automated software to run their brute force attacks. These automated programs can run through dictionary attacks as well. 

Many of these tools have workarounds to work against computer protocols (e.g., MySQL and Telnet), hack wireless routers, decrypt passwords in encrypted storage, translate words to different forms (e.g., password, p4ssw0rd, and Pa55WoRd), and identify weak passwords.

Some tools can scan pre-compute rainbow tables.

A rainbow table is a pre-computed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Thus, scanning rainbow tables removes the hardest part of the brute force attack to speed up the rate of cracking.

GPU Speeds Brute Force Attempts

Brute force attacks require a huge amount of computation. GPUs can do this work much more easily than CPUs, so many brute-force software packages enable the use of GPUs.

Combining the CPU and GPU 

Combining CPUs and GPUs accelerates computing power even further. GPUs can process parallelizable processes incredibly quickly. That is, any computing process that can be broken down into many smaller components to be run at the same time can be done across the thousands of computing cores in the GPU at a rapid pace. With this method. Hackers can crack passwords about 250 times faster than a CPU alone.

‏‏‎ ‎

How effective is a complex password against a brute force attack? 

Brute force attacks can be thwarted by long, complex passwords. However, that doesn’t mean you are entirely without vulnerability just because you force users on your network to pick complex passwords. 

Let’s assume you make everyone on your network choose a password with a minimum length of 12 characters with at least one lowercase letter, uppercase letter, number, and special character. That is, it meets the following requirements: 

Lowercase letter {abcdefghijklmnopqrstuvwxyz}

Uppercase letter {ABCDEFGHIJKLMNOPQRSTUVWXYZ}

Number {0123456789}

Character {!@#$%^&*()_+{}|:"<>?~`-=[]\;',./}

This is very effective against a brute force attack: to crack that password by trying 20,000,000,000 attempts per second, which can be accomplished using a cloud computing platform, would take an average of 3,300 years. But is that enough?

Although it would prevent a pure, simple brute force attack, if a hybrid brute force attack were used instead, then it would depend on how unique the password is as well. If your employee chooses the password “Password-123”, then chances are it will be found in the dictionary prelude to the brute force attack, and a hacker will be on your network in seconds.

‏‏‎ ‎

What do hackers gain from Brute Force Attacks?

Brute force attacks are not cheap. Either the hackers need to own a huge computing service or pay for that server time. Alternatively, they might spend years developing a botnet to carry out the attack. So, where is the payoff? Well, hackers can profit in many different ways:

  • Profiting from ads or collecting activity data
  • Stealing personal data and valuables
  • Spreading malware to cause disruptions
  • Hijacking your system for malicious activity
  • Ruining a website’s reputation

‏‏‎ ‎

How can you reduce your risk of brute force attacks?

There are many ways you can reduce your risk of brute force attacks. Often, just being a difficult target is enough online as there are still people using “12345678” as their password, and the reduced effort makes them a more profitable target.

Longer passwords with varied character types

Whenever possible, use long, complex passwords with lowercase and uppercase letters, numbers, and special characters. 

Elaborate passphrases

If a site allows you to create passwords of any length, consider a passphrase—or the combination of many words—mixed with special characters. For example, instead of “H3ll0#”, try “hello.MY-nAmE/15_what”. The sheer length combined with special characters and numbers makes it much harder to crack through brute force or dictionary attacks.

Stay away from frequently used passwords.

Passwords need to be complex and unique! One or the other will not fool hackers for even a minute.

Use unique passwords for every site you use

It is always worth reiterating: never reuse passwords. If your password is pwned on Fortnight, that might be annoying. If the hackers then use that password to empty your bank account, it goes from upsetting to months or years of misery.

Remove unused accounts

Keep your network safe by removing old users regularly and immediately if they have high permissions.

Use a password manager.

The best thing you can do to prevent a brute force attack is to help your users create strong passwords by providing a password manager. Only with TeamPassword can you facilitate your team in becoming proactive participants in network security. 

‏‏‎ ‎

Sign up for a 14-day free trial to test TeamPassword with your team members today.