Brute force attack is one of the oldest hacking methods, yet still one of the most popular and most successful ones. With computers and technologies evolving as fast as they are, bruteforce attacking is now fairly easy to run and more difficult to protect against.
Brute force attack definition
So, what is brute force exactly? Brute force definition can be given as such — it is a type of cryptanalytic attack that uses a simple trial and error, or guessing method. In other words — a criminal gains access to a user’s account by guessing the login credentials.
Sometimes, brute force attacks are still done by hand, meaning that there’s an actual person sitting in some basement and playing a guessing game with your credentials. But, more often than not these days, the hackers use a brute force algorithm, or brute force password cracker, which is, basically, a bot that submits infinite variations of username/password combination and notifies the hacker when it gets in.
What is bruteforce attack with examples
Brute force has been around ever since coding was invented. Naturally, the public’s been informed about some high profile attacks over the years. Though we can safely assume we do not know about a lot of the ones in the past and ongoing break-ins.
The most well-known brute force examples are:
- the 2016 Alibaba attack, when millions of accounts were affected;
- 2018 Magento break-in that resulted in a thousand admin panels compromised;
- another rather recent example occurred in Northern Ireland, where several accounts of parliament members were compromised;
- and our favorite — in early 2018 it turned out that Firefox master password is very easy to crack with brute force, which means millions of user accounts might have been compromised over the years it’s been widely used.
So, how does a brute force attack work exactly? As we’ve already established, brute force hacking implies that someone is trying numerous combinations of username and password, again and again, and again, until they gain the desired access.
So let’s say a username is as simple as “admin” and doesn’t take too much effort to guess (we bet that’s the first one any hacker tries).
The password is a whole other story. Usually, a password requires at least 8 alphanumeric characters. There are 26 letters, if the password is lowercase and letters only (which it rarely is), so it makes for 26 possibilities for one character of the password. We can double that, because most passwords are case-sensitive. So it makes 52 possibilities for one character of a password. Add to that 10 digits and, for example, 5 special characters, and you get 67, which roughly makes 406 trillion combinations for the whole 8 characters alphanumeric password.
| Read also: How to Choose and Use Strong Passwords
How fast can a password be cracked
How long does a brute force attack take? We have 406 trillion combinations. Seams like it will take centuries to crack, right? The answer is yes, if the bot attempts a thousand combinations per second. But the technologies evolve, remember?
So, taking that into consideration, how fast can a random password be cracked? There are computers that can do a hundred billion guesses per second and get the correct password in a few hours. There are even super computers that can do a hundred trillion guesses per second, it will take them a couple of minutes to guess the correct combination. And that’s without assuming the correct combination is the 10th, or even the 110th one in the row.
Brute force attack types
Up to this point, we were assuming the hacker has to guess each and every character of the password. But that’s not always the case.
A dictionary attack implies that a hacker has a list of commonly used passwords (password dictionary) and simply tries them all until he finds the correct one. If your password is “password”, “qwerty” or “12345678”, we have bad news for you — it will be cracked in mere seconds.
Reverse brute force attacks
As the name suggests, this type of attack uses a reverse approach. A hacker tries multiple usernames against one common password, like the already mentioned “password”, until they find the correct combination.
Credential Stuffing (Credential recycling)
A lot of people use the same username-password combination for different accounts, for the sake of simplicity and to make sure they always remember the password. These people make the hackers’ lives too easy, if you ask us. This type of brute force attack works wonders if the attacker already has access to one of the victim’s accounts, all they have to do is use the same credentials for another service.
Exhaustive key search
This type of attack we’ve described in detail above. The attacker uses a computer to try every combination possible until the right one is found. Modern computers can complete the task in minutes.
Brute force attack prevention
It might seem like there’s no way to protect your data from modern hackers and their super-computers. But there are ways to do that, and they are rather simple.
The first step of brute force protection is applying common sense. Just stop making it too easy for the hackers. If now you are asking yourself — “How safe is my password?”, we say — good question. Let’s see. If your password is long, combines not only letters, but numbers and special symbols as well, if it is different for every account and does not use any info that can easily be found online (your mother’s maiden name, the Uni you went to, the cat’s name etc.), you are on the safe side! Add to that 2-factor authentication whenever possible, and you can relax, cracking your account is close to impossible.
If you own a service or website and want to apply brute force attack protection for your users it’s a good idea to add a couple of protective layers. Start with requiring longer and more complicated passwords. Then turn on a lockout policy (you can lock an account if there was a certain number of consecutive failed attempts to log in). Another good idea is using Captcha, a bot can not choose a picture with a cat after all. Finally, offer two-factor authentication brute force protection to your users, better protection for accounts has not been invented yet.
- The Pros and Cons of Different Two-Factor Authentication Types and Methods
- Man In The Middle Attack Prevention And Detection
- Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing?
- Top 7 Tips How to Protect Yourself from Phishing Scams
- Social Engineering: What It Is and Why It Works
- Ransomware – to Pay or Not to Pay
- Email hacking protection
- The Most Common Ways of Credit Card Fraud