What is a Brute force attack?
A brute force attack is an attack technique where malicious actors cycle through every possible password, access key or other type of access credential to guess which one will grant access into the system or the encryption they are trying to get into.
For example, if an attacker knows that a user account with the name admin exists on a system, the attacker might try to log in as that user using the password, password. If that fails, the attacker then tries the password, 1234. If that fails, he moves on to qwerty. (All of these credentials are commonly used passwords.) He continues the attack until he strikes the right password – or until he is locked out by security tools.
Keep reading for a breakdown of what brute force attacks are, how they work, and how to protect against them.
How Brute force attacks work
To execute a brute force attack, attackers must first collect some basic information about the system they are trying to compromise:
- Where and how users log in: For example, attackers must know the URL that hosts the login screen for a Web app, or the remote access protocol used to log in remotely to a server.
- Which type of login credentials are used: These could be username/password combinations, tokens, access keys, or something else.
- How the access credentials are formatted: To make attacks more efficient, it helps if attackers know at least basic information about access credential requirements, such as how many total characters are in the access credential.
With this information, attackers can begin executing a brute force attack by connecting to the login portal for the system they are targeting, then cycling through different potential access credentials until they hit the right one.
Types of Brute force attacks
There are multiple types of brute force attacks. Each type reflects a different attack technique:
- Manual: In a manual attack, attackers manually try different login credentials. This is the most inefficient and slowest way to brute-force a system.
- Dictionary attack: A dictionary attack involves using a premade list of possible logins – in other words, a dictionary file – to execute a brute force attack automatically. The dictionaries usually contain lists of access credentials that are widely used, such as passwords like password and 1234. A software tool automatically parses through the dictionary, attempting to log in using each entry.
- Hybrid attack: In a hybrid attack, a dictionary is used in conjunction with other attack techniques to increase the likelihood of a successful login. For example, attackers might add characters to each entry in the dictionary file because they know that users might configure passwords that are a combination of a standard password and additional characters, like numbers representing a birthday. Thus, whereas password on its own might not be the right login, password6186 could be, so attackers will try logins like the latter.
- Reverse attack: In a reverse brute force attack, attackers take commonly used login credentials (like password) and attempt to use them to log in as multiple users. In other words, they cycle through a single password in combination with multiple user names rather than cycling through multiple passwords for a single user. This type of attack is sometimes also called password spraying.
Simple login protections can be breached with manual attacks or basic dictionary attacks, but hybrid and reverse attacks increase the chances of a successful brute force attack for more complex configurations.
Examples of Brute force attacks
Brute force attack risks are hardly just theoretical. Examples of major organizations that have been breached using this technique include:
- Dunkin’ Donuts in 2015.
- Magento, which reported widespread brute force attacks against its eCommerce platform in 2018.
- Alibaba, which had about 21 million accounts compromised through brute force in 2016.
The list could go on, but you get the point: even at large organizations with mature cybersecurity strategies, brute force attacks are a threat.
Defenses against Brute force attacks
The main challenge of defending against brute force attacks is that virtually any system with a login feature can be subject to this type of attack. Fortunately, however, there are several effective countermeasures that organizations can take to reduce the risk of successful brute force attacks.
Disable repeated login attempts
A simple but effective way of protecting against brute force attacks is to configure applications and endpoints such that accounts are automatically suspended after a series of failed login attempts. That way, if an attacker tries to brute force a password or other login credential, the attack will be stopped after just a few tries.
To mitigate the impact on legitimate users, accounts could be reenabled after a fixed time period. For example, you could configure a login policy that says that after three failed login attempts in a one-minute period, the account is locked for the next hour. Or, you could allow users to enable their accounts by contacting your IT department. That way, a legitimate user who simply mistypes his or her password won’t be locked out permanently.
Use Context-Aware security
Another way of stopping brute force attacks while minimizing disruption to legitimate users is to use context to assess whether a brute force attack is likely taking place, then react accordingly.
For instance, you could configure systems so that a repeated number of failed logins from an endpoint that has never before accessed your network leads to the endpoint being blocked in order to stop what is likely a brute force attack. But repeated login failures from an endpoint that an employee regularly uses will not be automatically blocked, since in the latter case it’s more likely that the employee has legitimately forgotten his or her password. (Of course, it’s also possible that the employee’s device has been compromised and that someone is launching a brute force attack from it, so further investigation would be warranted in this case, even if the endpoint is not automatically blocked.)
A similar technique is to assess whether the login credentials that a user enters during a failed login are similar to the actual credential. If a password is off by just one or two characters, it’s likely that the user mistyped. But if you detect a series of repeated logins that are totally different from the valid credentials, it’s more likely to be a brute force attack.
Use Multi-Factor Authentication
Multi-factor authentication (MFA) helps prevent brute force attacks by providing a secondary line of defense that blocks attackers even if they successfully guess a login credential.
For example, if MFA is enabled in an application and attackers brute force a password, they might also need a one-time access code that is emailed to the legitimate user before they can complete the login.
MFA doesn’t guarantee total protection against brute force attacks because there is still a risk that attackers could acquire the additional login factor or factors. For example, after brute-forcing a password, they could launch a phishing attack where they contact the user they are targeting and claim to be from the IT team to request access to the second login credential. If the user falls for the ruse, the attackers would be able to log in because they’d know both authentication factors.
Still, MFA makes it significantly harder to execute a successful attack using brute force, so it’s an effective defense technique.
Require long and complex passwords
The longer and more complex a password is, the harder it is to brute force. The reason why is that the more possible characters that could be included in a password, and the longer the total number of characters in the password, the greater the number of potential passwords you’ll have in total.
So, by requiring passwords to include non-alphanumeric characters and requiring them to be a minimum length, you significantly reduce the risk that passwords will appear on the dictionary lists that attackers use when executing brute force attacks.
The same logic applies to other types of access credentials, such as SSH keys or login tokens, which are also more resistant to brute force if they are long and complex.
Future trends for Brute force attacks
Brute force attacks are a real threat to organizations of all types. And in fact, the risk is likely only to grow. Not only are brute force attacks increasing in frequency, but they are also becoming easier and easier to execute, thanks to the availability of increasingly powerful computers that can automatically perform login attempts. The arrival of quantum computers will complicate brute force attack prevention even more because quantum computers will be able to cycle through potential logins at rates that are potentially hundreds of millions of times faster than those of conventional machines.
The good news is that effective defenses against brute force attacks exist. Simple techniques like restricting repeated login attempts and requiring MFA can stop most brute force attacks, even when they are carried out by super computers.