How Does Brute Force Attack Work

Brute force attack is one of the oldest hacking methods, yet still one of the most popular and most successful ones. With computers and technologies evolving as fast as they are, bruteforce attacking is now fairly easy to run and more difficult to protect against.

Brute force attack definition

So, what is brute force exactly? Brute force definition can be given as such — it is a type of cryptanalytic attack that uses a simple trial and error, or guessing method. In other words — a criminal gains access to a user’s account by guessing the login credentials.

Sometimes, brute force attacks are still done by hand, meaning that there’s an actual person sitting in some basement and playing a guessing game with your credentials. But, more often than not these days, the hackers use a brute force algorithm, or brute force password cracker, which is, basically, a bot that submits infinite variations of username/password combination and notifies the hacker when it gets in.

Brute force attack

What is bruteforce attack with examples

Brute force has been around ever since coding was invented. Naturally, the public’s been informed about some high profile attacks over the years. Though we can safely assume we do not know about a lot of the ones in the past and ongoing break-ins.

The most well-known brute force examples are:

So, how does a brute force attack work exactly? As we’ve already established, brute force hacking implies that someone is trying numerous combinations of username and password, again and again, and again, until they gain the desired access.

So let’s say a username is as simple as “admin” and doesn’t take too much effort to guess (we bet that’s the first one any hacker tries).

The password is a whole other story. Usually, a password requires at least 8 alphanumeric characters. There are 26 letters, if the password is lowercase and letters only (which it rarely is), so it makes for 26 possibilities for one character of the password. We can double that, because most passwords are case-sensitive. So it makes 52 possibilities for one character of a password. Add to that 10 digits and, for example, 5 special characters, and you get 67, which roughly makes 406 trillion combinations for the whole 8 characters alphanumeric password.

| Read also: How to Choose and Use Strong Passwords

How fast can a password be cracked

How long does a brute force attack take? We have 406 trillion combinations. Seams like it will take centuries to crack, right? The answer is yes, if the bot attempts a thousand combinations per second. But the technologies evolve, remember?

So, taking that into consideration, how fast can a random password be cracked? There are computers that can do a hundred billion guesses per second and get the correct password in a few hours. There are even super computers that can do a hundred trillion guesses per second, it will take them a couple of minutes to guess the correct combination. And that’s without assuming the correct combination is the 10th, or even the 110th one in the row.

Brute force attack dictionary attack

Brute force attack types

Up to this point, we were assuming the hacker has to guess each and every character of the password. But that’s not always the case.

Dictionary attacks

A dictionary attack implies that a hacker has a list of commonly used passwords (password dictionary) and simply tries them all until he finds the correct one. If your password is “password”, “qwerty” or “12345678”, we have bad news for you — it will be cracked in mere seconds.

Reverse brute force attacks

As the name suggests, this type of attack uses a reverse approach. A hacker tries multiple usernames against one common password, like the already mentioned “password”, until they find the correct combination.

Credential Stuffing (Credential recycling)

A lot of people use the same username-password combination for different accounts, for the sake of simplicity and to make sure they always remember the password. These people make the hackers’ lives too easy, if you ask us. This type of brute force attack works wonders if the attacker already has access to one of the victim’s accounts, all they have to do is use the same credentials for another service.

Exhaustive key search

This type of attack we’ve described in detail above. The attacker uses a computer to try every combination possible until the right one is found. Modern computers can complete the task in minutes.

| Read also: The Most Popular Passwords of Ashley Madison Users – Overused, Predictable and Unreliable

Brute force attack prevention

It might seem like there’s no way to protect your data from modern hackers and their super-computers. But there are ways to do that, and they are rather simple.

The first step of brute force protection is applying common sense. Just stop making it too easy for the hackers. If now you are asking yourself — “How safe is my password?”, we say — good question. Let’s see. If your password is long, combines not only letters, but numbers and special symbols as well, if it is different for every account and does not use any info that can easily be found online (your mother’s maiden name, the Uni you went to, the cat’s name etc.), you are on the safe side! Add to that 2-factor authentication whenever possible, and you can relax, cracking your account is close to impossible.

If you own a service or website and want to apply brute force attack protection for your users it’s a good idea to add a couple of protective layers. Start with requiring longer and more complicated passwords. Then turn on a lockout policy (you can lock an account if there was a certain number of consecutive failed attempts to log in). Another good idea is using Captcha, a bot can not choose a picture with a cat after all. Finally, offer two-factor authentication brute force protection to your users, better protection for accounts has not been invented yet.

Read more:

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This