We already talked about phishing and the social engineering techniques hackers use to obtain user credentials. Here we’ll discuss another popular hacking method and how to prevent it.
A brute force attack is an old technique. Just because it’s been around for years, doesn’t mean it’s not as effective as it used to be. Why? The key to success for brute force attacks lies in the fact that passwords are still a primary user authentication method.
How do brute force attacks work?
In a brute force attack, a hacker repeatedly submits various usernames and passwords until eventually guessing them correctly. This is a fairly simple approach, usually done with the help of automated tools, scripts or bots. These programs will cycle through every possible password combination, starting with the easiest-to-guess password.
There are various brute force cracking tools you can find online. Some of the most popular ones include:
- John The Ripper. This powerful tool is available free of charge. It can use a dictionary of passwords and combines text and numbers. It also detects the type of hashing used in a password.
- Aircrack-ng. Another free wifi password cracking tool. It performs dictionary attacks against a wireless network until guessing the password.
- L0phtcrack and Ophcrack. Tools widely used for cracking Windows passwords.
- DaveGrohl. A brute-forcing tool for macOS that allows hackers to perform attacks from multiple computers.
- THC Hydra. A tool that uses brute force attacks to crack passwords of network authentications.
Brute force attacks are one of the easiest hacking techniques to perform. In this case, hackers take advantage of the fact that most users operate with way too many online accounts, which means they probably won’t bother creating unique and long passwords for every account. Easily memorable and reused passwords are the main reason brute force attacks end with success. Depending on the length and complexity of the password, the cracking process can take from a few seconds to several hours or even years.
Brute Force Attack vs Dictionary Attack — what’s the difference?
Both of these types of attacks are based on guessing. However, a dictionary attack is slightly more sophisticated than brute force. Unlike brute force attack, it doesn’t try every possible combination (numbers, special characters, lowercase and uppercase letters) but instead uses a precompiled list of options. A dictionary of possible combinations can be made from previously hacked credentials or combinations that hackers believe most likely will be successful.
For example, names of family members, pets or simply variations of the most common passwords sometimes are enough to break into the system. Simply put, a dictionary attack uses a dictionary that can contain a large number of words, while a simple brute force attack will go for combinations of letters and numbers. Just like in the case of brute force attacks, dictionary attacks take advantage of users who go for memorable and repeatedly used passwords.
A hybrid brute force attack
Sometimes the hackers will use a combination of both techniques. A good example are users who are obliged to follow a frequent password change policy. Let’s not forget that an average user operates with 60-70 passwords. This means making up a new and complex password every few months and trying to memorize is too much of a hassle. Instead, the users will simplify their life by eventually sticking to one password, changing just a minor part of it (for instance, username2020 will become username2021). Hackers will use a dictionary list of possible words and attach numbers to them, until finding the winning combination. They can also change cases of the words from the list and try other small variations.
Detection & safety
The fact that brute force attacks are a primitive and easy to implement hacking technique means it is fairly easy to defend against them. However, they will continue to plague both organizations and individual users as long as passwords remain the only way of protection. The worldwide switch to remote work due coronavirus pandemic has caused an uptick in phishing emails, ransomware, but also brute force attacks. It has caught the organizations unprepared in the terms of cybersecurity awareness.
Brute force attacks are not difficult to identify. If you notice that somebody is repeatedly trying to log in to your account, it is most likely an attempt of a brute force attack. The unsuccessful login attempts do not necessarily need to come from the same IP address. After detecting the suspicious IP addresses, they should be blacklisted or blocked. After repeated login attempts, it would be good to use Captcha. Manual verification by retyping the text from an image of checking a checkbox could prevent hackers’ tools from brute-forcing their way into user accounts.
Enforcing better password discipline is a good start. Making passwords longer (minimum 14 characters) and more complicated, with lowercase and uppercase letters, numbers and special characters will make the job for attackers more difficult. Unfortunately, complicated does not mean impossible — stronger passwords increase the time required for the attacks to succeed but do not wipe off the risk of attacks entirely. Global enterprises are switching to less cumbersome solutions. For more robust defense, organizations should consider implementing a multi-factor authentication (MFA) that is not based on passwords. This will both enhance security and maintain usability, freeing users from the burden of remembering and managing their passwords.