A hacking method that uses trial and error to decode login information, passwords and encryption keys to gain unauthorized access to systems, networks and information. The attack consists of excessive forceful attempts to crack the login credentials in order to force their way into the systems targeted.
The approach is old but still popular amongst cybercriminals but the possibility of a lengthy process can put some off using it. An attempt to gain access to one account using this method can take seconds but some can take months or years to be successful.
Why use brute force attacks?
To steal data
As with most cyberattack, the goal of stealing personal information is at the top of the list of motivations. Gaining access to someone’s personal email account, for example, opens doors to launching other attacks on other platforms or websites they may use.
Spreading malware
Brute force attacks are usually not personal with the hacker simply wanting to create havoc. They may do this by spreading malware via email or Short Message Service (SMS) messages, concealing malware within a spoofed website designed to look like a legitimate site, or redirecting website visitors to malicious sites. By infecting a user’s computer with malware, the attacker can then work on accessing connected systems and networks and launch wider cyberattacks against organizations.
Hijack a system
Brute force attacks can play a role in malicious actors launching broader attacks using multiple devices, called a botnet. This is typically a distributed denial-of-service (DDoS) attack that aims to overpower the target’s security defenses and systems, making them crash or fail and create chaos.
Ruin a company reputation
Brute force attacks are often launched in an attempt to steal data from an organization, which will cost them financially to recover from but also to cause permanent reputational damage to the company targeted. Websites can also be targeted with attacks during which the attacker will add offensive text and images which when seen by online users will damage their reputation and in turn cause them to take their website down to remove the content.
Types of brute force attack
Simple brute force attack
The attackers will logically guess the credentials without the use of any external assistance from software. This method will give results if there are simple or weak passwords in use e.g.password1234. If the hacker has done some background research into their target, passwords from their “life” can be easily cracked such as their children’s names, favourite sports team, pet names or addresses.
Dictionary attacks
The attacker will select a target and then test possible passwords against their username. This type of attack is time consuming and is one of the lesser used options compared to newer, more effective methods.
Hybrid brute force attack
This is typically a mix of the simple brute force attack and a dictionary attack, meaning outside means helps to create more logical guessing. This will help to reveal combination passwords which contain words and numbers.
Reverse brute force attack
This is an attack wherein the threat actor already has the password and needs to find the account to which the password matches. They will normally have to search millions of accounts to find a match. However, this method becomes a lot more simplistic when passwords are leaked from online breaches, as they know where an account is set up with that password.
Credential stuffing
This method of attack sees lists of compromised user credentials being used to breach a system. The attack will use bots for automation and is based on the assumption that many users will use the same password across multiple accounts and services. This is a rising threat due to the availability of databases containing breached credentials and the sophisticated bots who can carry out the process efficiently.
How to combat brute force attacks?
Stronger passwords
Make sure you do not have a simple, easy to guess password. Do not use any variation of personal information including name, address, birthday. Be aware of passwords using other information that could be easily found on social media such as pet’s names, children’s’ names etc. A strong password should have no less than 8 characters and should contain the following:
- at least one uppercase letter
- at least one lower case letter
- at least one number
- at least one special character
Avoid repeating passwords
We all struggle to remember passwords at times so tend to stick to a list you’ll remember – Don’t do this. Try to think of unique passwords for each account you have. Repeating passwords or using variations of the same password can make it easier for hackers to get into a number of your accounts.
Multi factor authentication
Instead of just having a password as a barrier to your information, try using multi factor authentication. This will mean that if an attacker manages to guess your password or credentials, they will not be able to access the account as it will require approval from another security level. This can be anything from a text message to a code.
Provide password support
In an organization, the IT or cybersecurity team should invest time in educating employees on strong passwords and also ensure that passwords are changed periodically.
Limit log in attempts
Limiting the number of times a user can re-enter passwords or credentials can reduce the success rate of brute force attacks. Preventing other log in attempts after 2 or 3 incorrect entries will deter an attacker and will lock down the account from further combination testing.