Brute force attacks occur when a bad actor attempts a large amount of 'user name and password' combinations on a target. These attacks frequently involve multiple attempts on account passwords with the hopes that one of them will be valid. It’s a bit like trying all of the possible combinations on a padlock, but on a much larger scale.
Passwords are not the only resource that can be brute forced: Links and directories, usernames, and emails are other common targets.
Unlike many other tactics used by bad actors, brute force attacks don’t rely on vulnerabilities within websites. Instead, these attacks rely on users having weak or guessable credentials to extract them. The simplicity involved and amount of targets make brute force attacks very popular.
The objective of a brute force attack is to gain access to a resource otherwise restricted to other users. This can be an administrative account, password-protected page, or simply to enumerate valid emails on a given website.
Gaining access to a valid account can mean compromising the entire site, which they can then use as part of their network of compromised websites.
Ever wondered how long will it take for hackers to break into your passwords? The graphic here shows exacty the time vs complexity of your passwords. Yellow zone passwords are secured and can’t be cracked in an amount of time that isn’t feasible. There is complex mathematics behind these calculations, which I will not dwell into.
-
Types of Brute Force Attacks
At its core, brute force is the act of trying many possible combinations, but there are many variants of this attack to increase its success rate. Here are the most common:
1. Simple Brute Force Attack
A generic brute force attack can use different methods, such as iterating through all possible passwords one at the time. This is commonly used on local files, where there are no limits to the number of attempts you have, as other attacks are commonly more successful at scale.
2. Dictionary Attack
This attack uses a list of words and common passwords instead of going in randomly, building a “dictionary” of possible passwords and iterating through them. Using a good password list can help to improve the attackers success rates, but these attacks often require a large number of attempts against possible targets.
3. Hybrid Brute Force Attack
A hybrid attack uses both the dictionary attack and a regular iterative pattern. Instead of trying literally all passwords, it will perform small modifications to words in a dictionary, such as adding numbers or changing the case of letters.
4. Credential Stuffing
With a growing amount of data breaches, password reuse is an easy way to compromise specific accounts reusing passwords. Credential stuffing attacks have a low rate of success and primarily rely on lists of usernames and passwords commonly found from data breaches, means which have already been stolen by someone else. Hackers acquire or purchase these credentials in the dark net and re-use these lists to attempt to log in with these stolen credentials, stressing the importance of updating your username and password if your data has been involved in a breach.
How Can You Sense, If A Brute Force Attack Is Happening?
Common sense is important in identifying brute force attempts. Basically, if it appears someone is repeatedly and unsuccessfully trying to log in to an account, it’s likely an attempted brute force attack.
Signs can include:
-
The same IP address unsuccessfully trying to log in multiple times.
-
Many different IP addresses unsuccessfully trying to log in to a single account.
-
Multiple unsuccessful login attempts from various IP addresses in a short time period.
How Can You Prevent Brute Force Attacks?
-
Use Strong Passwords
-
Restrict Access to Authentication URLs
-
Limit Login Attempts
-
Use CAPTCHAs
-
Use Two-Factor Authentication (2FA)
-
Put your website behind a web application firewall (WAF)
-
Guys, what do you think of think about this post on Brute Force Attacks?
Kindly leave me your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM