Brute Force Attack

What is a Brute Force Attack?

A brute force attack is one of the older and more primitive forms of cyberattack, but is still a very prevalent and successful method in the hacker community. A brute force attack, simply put, is trying a standard username and password combination over and over into a specific site, application, or system in an attempt to gain entry and act in a nefarious manner.  

Executed solely through the process of trial-and-error, brute force attacks use excessively forceful methods to attempt account entry. While this may sound tedious, this process is frequently automated using scripts that speed up the process exponentially. Brute force attacks are executed systematically, and although they only make up around 5% of confirmed data breaches, can be an extremely successful method of attack. Because many people recycle their credentials, and the list of data breaches continues to grow year over year, brute force attacks can be highly successful if the attacker is using modern tools and systems to execute it.

How a Brute Force Attack Works 

When it comes to brute force attacks, there are several popular methods, which range from manual and tedious to advanced, automated, and dangerous. Once your credentials are cracked, you have already lost the opportunity to protect your business. The goal may be identity theft, monetary theft, or data theft, but regardless, the result is the same—a data breach that could wreak havoc on your organization, from financial crisis, to executive distress, to loss of trust.

The most basic, original method of brute force attack is a dictionary attack, in which an attacker scans a password dictionary. A password dictionary is a file that contains millions of popular phrases, words, and symbols and attempts to crack an account that have been built up over years by hackers, penetration testing organizations, and individuals. 

As newer and more sophisticated methods have come to light, there are even more concerns on the horizon. These methods can result in successful brute force attacks in under two hours via use of a computer. This leaves millions of organizations vulnerable if the right protection isn’t in place.

Examples of Brute Force Attacks

As discussed above, there are many forms of brute force attack, from very simple to advanced and complex. To name a few...

  • Simple brute force attack: Rather than using an advanced software or system, the hacker uses a systematic approach to guess the password at random.
  • Dictionary attack: Dictionary attacks are one of the oldest methods of brute force attack, but while a bit outdated, can still be very successful, especially if you recycle your credentials. Usernames and/or passwords are attempted to be used at login, drawing from a password dictionary file of commonly found strings and/or phrases.
  • Rainbow table attack: A rainbow table attack uses a rainbow hash table to reverse cryptographic hash functions. The table contains the values used to encrypt the passwords before adding them to the database, and allows the hacker to crack a password/username combination quickly.
  • Credential stuffing: If you reuse your password, it has likely been leaked on the internet in various cyberspace circles. Credential stuffing takes advantage of this by using found login combinations across a multitude of different applications and sites in the hopes that you have used that same combination elsewhere. 
  • Reverse Brute Force attack: While a standard Brute Force attack uses your username and guesses your password, a reverse Brute Force attack is when the hacker knows your password, but not your username, and must try and find it.

How to Protect Against Brute Force Attacks

Luckily, there are many ways to keep your organization safe from Brute Force attacks! Here are a few helpful tips:

  • Eliminate passwords: The ONLY way to ensure the prevention of credential-based attacks is through eliminating passwords. Learn more about passwordless authentication today and keep your most critical applications secure.
  • Limit failed login attempts and instill a lock-out policy: An easy way to prevent a Brute Force attack is by limiting failed login attempts. Brute force attacks usually require many tries to successfully enter a system, so by limiting the number of tries you can stop the attacker before they even get going.
  • Captcha: Tools like reCAPTCHA require a human element to complete the login process, and cannot be done by computer. That single requirement to enter a word, or the number of cars in a generated image, can easily eliminate automated Brute Force attacks.
  • Monitor your server logs: By monitoring your log files religiously, you can be aware of any discrepancies and perform daily check-ups to ensure good system health and security.