A brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies. Just as a criminal might break into, or "crack" a safe by trying many possible combinations, a brute force attacking application proceeds through all possible combinations of legal characters in sequence.
A hacker may use a brute force attack to obtain access to a website and account, then steal data, shut the site down, or execute another type of attack. Brute force is considered to be an infallible, although time-consuming, approach.
Crackers are sometimes used in an organization to test network security, although their more common use is for malicious attacks. Some variations, such as L0phtcrack from L0pht Heavy Industries, start by making assumptions, based on knowledge of common or organization-centered practices and then apply brute force to crack the rest of the data. L0phtcrack uses brute force to attack Windows NT passwords from a workstation. PC Magazine reported that a system administrator who used the program from a Windows 95 terminal with no administrative privileges, was able to uncover 85 percent of office passwords within twenty minutes.
How brute force attacks work
Brute force attacks will commonly use automated tools to guess various combinations of usernames and passwords until they find the correct input. The longer the password, the more time it will typically take to find the correct input.
Different types of brute force attacks exist. For example, credential recycling is a form of brute force attacks where usernames and passwords from previous attacks are used. Reverse brute force attacks begin with the attacking having the password as a known value, but not the username. The hacker will then follow the same pattern as a normal brute force attack to find the correct username. A dictionary attack is another type of brute force attack where all words in a dictionary are tested to find a password. Dictionary attacks can also augment words with numbers, characters and more. Additional forms of brute force attacks might try and use the most commonly used passwords, such as “password,” “12345678” (or any numerical sequence like this) and “qwerty.”
How to prevent brute force attacks
Common ways to prevent against brute force cracking include:
- Adding to password complexity: this will make any process of guessing a password take significantly longer. Some websites, for example, will require passwords of 8-16 characters, with at least one letter and number with special characters (such as “.”), as well as not allowing a user to have their name, username or ID in their password.
- Login attempts: adding in login attempts will lock out a user for a specified amount of time that exceeds a specified amount of attempts in inputting passwords/usernames.
- Captchas: these are the boxes with will show a box with warped text and asks the user what the text in the box is. This prevents bots from executing the automated scripts that appear in brute force attacks, while still being easy for a human to pass by.
- Two-factor authentication (a type of multi-factor authentication): this adds a layer of security to the primary form of authentication. Two-factor security requires two forms of authentication (as an example, to sign in to a new Apple device, users need to put in their Apple ID along with a six-digit code that is displayed on another one of their devices previously marked as trusted).
A good way to secure against brute force attacks is to use all or a combination of the above strategies.
Continue Reading About brute force attack
- SearchSecurity.com provides a list of annotated links to more information about brute force cracking.