Brute Force Attack

A brute force attack entails a trial and error technique to crack encryption keys, login credentials, or confidential information. Hacker uses all the keys on the key ring until they find the right one. For example, a brute-force program is used to try to guess a user’s password. Hackers rely on brute force attacks when they could not find and exploit other weaknesses in the computer network.

It may seem like an antiquated method for today’s advanced business environment, but to give you an idea, 5% of confirmed data breach incidents in 2017 stemmed from brute force attacks. Basically, 5% of hacks were successfully guessed by hackers. Depending on the complexity of the password, a successful brute force attack can take anywhere between a few minutes to months or years. But some accounts are worth spending years trying to crack, like a wealthy bank account. So, it makes sense to make it cost as long as possible to try to guess such an account’s password. How about the password to a hardware wallet containing millions of dollars’ worth of Bitcoin?

What makes brute force attacks so popular is the simple cracking procedure they entail. The hacker only needs a computer and a program to try different combinations of usernames and passwords hoping to guess correctly.

Types of Brute Force Attacks

The most popular categories of brute force attacks include:

Simple Brute Force Attack: As the name indicates, these attacks use simple guessing techniques to crack a password or PIN. Don’t let weak passwords cannot prevent the ruthless unfolding of a simple brute force attack.

Dictionary Attack: The most common brute force attack method. This attacker works through a dictionary of possible passwords and runs them all against a username. Starting from guessing common passwords to running through special dictionaries of words including characters and numerals, a dictionary attack is often considered as the standard component for password cracking. This is where users should have used strong passwords to prevent passwords like “password” and “123456” from being easily guessed.

Hybrid Brute Force Attack: This method blends outside means with logical guesses to crack a password. A typical hybrid attack in cryptography is a combination of a dictionary attack and a brute force attack.

Credential Stuffing: When a cybercriminal gets their hands on a user’s username-password combo for a website, they try the same combo for other sites/platforms. The technique bears fruit in many cases since people are known to reuse the same password for multiple platforms. Credential stuffing is why users should NOT reuse passwords for different accounts. Use different passwords for different accounts. Yes, it’s more work to memorize, but then you just use a password manager to remember all those crazy long passwords anyway.

Also, similar to brute-force attacks, check out password spraying attacks. 

How to Minimize the Risk of Brute Force Attacks

Here are a few strategies to neutralize the brute force attacks:

• Use a lengthy password - having a combination of special characters and numerals.
• The password should not be a logical term such as “NewYork@123”. Try something like “XSj7weoi40eonSl(jIkre10gnxu44wt6q9d7i097C8369” and save it in a password manager. Let’s see how long a supercomputer takes to guess that password.
• Do not use the same password for multiple sites. Use a different password and save them all to the password manager.
• Avoid using commonly used passwords. Use a random password generator to securely create long passwords with a single click.
• Change your passwords regularly. Although NIST recommends users utilize longer passwords and only change passwords when there has been an incident, there are many vendors that require intermittent password changes.
• Make sure to limit the number of login attempts to prevent brute forcing.

The best way to counter a brute force attack is neutralizing the attack before (prevention) or while it’s in progress (before compromise). Once the system security is compromised, it is exceptionally difficult to minimize the damage. This is where early-warning detection systems are useful for security teams to detect hacking attempts.