What Is A Brute Force Attack?

What Is A Brute Force Attack?
A brute force attack is a type of hacking technique that uses trial and error to guess login and encryption information, costing companies over $6 million annually in compromised cloud accounts.Here we explore the different types of brute force attacks and how to safeguard against them.

Brute Force Attacks

Though seemingly simple, brute force attacks are a reliable way for hackers to get unauthorised access to a system, network or individual account. Brute force attacks are responsible for around 5% of all data breaches. And, of breaches caused by hacking, around 80% involve brute force. With a trial and error approach, the hacker tries multiple different usernames and passwords to eventually find the right combination. These attacks are referred to as “brute force” as the attacker uses repetitive, forceful attempts in order to gain entry. Even in the face of more sophisticated cyberattacks, brute force attacks are still a commonly used method for hackers.

What Types Of Brute Force Attacks Are There?

There are a range of different types of brute force attacks which will allow attackers access to protected data. Here we explore the most common 5 brute force attacks.

1. Simple brute force attacks

Simple brute force attacks happen when a hacker tries to guess a user’s login credentials manually – without the use of any technology or software. This is usually done by trying standard password combinations or PIN codes. These attacks can happen easily because many people still depend on weak passwords to protect their systems – such as “password123” – or use the same password across multiple websites. Passwords can also be guessed by hackers after doing a little bit of research – such as finding their pet’s name or their favourite sports team – allowing them to play around with combinations.

2. Dictionary attacks

Dictionary attacks are where an attacker targets a specific target user and then tests potential passwords against their username. The name “dictionary attack” is based on the idea that attackers use dictionary words adding different numbers and special characters. Though it is not a brute force attack per se, it assists in the password-cracking process used for brute force attacks. It is also a fairly time-consuming method and less effective than many modern cyberattack techniques.

3. Hybrid brute force attacks

Hybrid brute force attacks combine dictionary attack methodology and a simple brute force attack. A hacker will already know a username but will then use dictionary attack and simple brute force methods to figure out the combination for the account login. Using a list of potential words, the hacker will then use trial and error to test different character, letter and number combinations until they successfully find the correct password.

4. Credential stuffing

Credential stuffing is where attackers take advantage of users with weak password etiquette. Using username and password combinations that have been stolen, they will test the login information on other websites to see if they can access other accounts of the same users. If people use the same username and password combination, or reuse the same password on multiple accounts, as is so often the case, they are at high risk of credential stuffing.

5. Reverse brute force attacks

Reverse brute force attacks are used when an attacker already knows the password – this is typically due to a network breach. Using that password, they’ll then search through millions of usernames to find matching login credentials. They can also use common, weak passwords, like “Password123” to carry out this searching technique.

How to Protect Against Brute Force Attacks

Brute force attacks are relatively simple and prey on weak passwords or careless password etiquette. As a result, they are easy to protect against. Individuals and organisations can follow various steps to protect against themselves against these types of attacks. As well as carrying out regular vulnerability scans and penetration testing, one of the best and easiest things you can do to protect against brute force attacks is make your passwords as strong as possible. This makes it much more difficult for attackers to guess. Ways to do this include:
  • Strong, multi character passwords – experts suggest passwords that are more than 10 characters and include multiple types of characters such as uppercase and lowercase letters, numbers and symbols
  • Elaborate passphrases – for websites which have a restricted length of a password, passphrases are a good alternative. These are a sentence-like string of words, often with special characters, that make them difficult to guess.
  • Avoid common passwords – typically used passwords are very easy to guess, making them high risk. It is recommendable to avoid the word “password” as long as common words, phrases, your name or a sports team.
  • A new password for every account – you can prevent against the highly successful technique of credential stuffing, never use the same password for any two websites or accounts.
  • Use password managers – password managers make it easier to have unique, complex passwords for each website that you need to log into, securing them safely in one place.