Brute force attacks are a form of cyberattack that tries to guess passwords, session IDs, or encryption keys. They are a trial-and-error technique that seeks different combinations until the right one is found.
While the incidence of brute force attacks remained more or less stable during the years before the covid pandemic, following March 2020, when companies worldwide began working remotely, brute-force attacks soared rapidly across the globe.
This article explains what brute force attacks are, what types there can be, and how to defend against them.
Table of contents
What is a brute force attack?
The basic definition of a brute force attack is the use of machine algorithms to guess passwords, session IDs, or encryption keys. Hackers use brute force attacks to gain access to user accounts or company systems, or to hijack online sessions to steal sensitive data.
It’s a type of direct attack that occurs early in the cyber kill chain. Because brute force attacks are systematic and relatively simple, they tend to be automated, and attackers use simple programs, scripts, and bots to carry them out. Some attacks use lists of regularly used or leaked passwords while others try to guess the password from scratch.
What types of brute force attacks are there?
Brute force attacks vary in sophistication. The industry recognizes five basic types.
In a simple attack, the attacker tries to guess the password by trying different combinations of characters and numbers. The time-to-crack can vary significantly depending on the password’s length and complexity (ranging theoretically from seconds to centuries). A simple brute-force attack usually targets one or a few accounts.
A dictionary attack also tends to have few targets at a time, but instead of randomly generating the passwords, it uses lists of leaked or commonly used passwords. The presumption is that people rely on passwords that are easy to remember, like “pwd1234”.
A hybrid type of attack is a combination of the above two types. It relies on compound passwords consisting of two parts: a commonly used password from a list and a machine-generated part, usually a string of numbers.
Reverse attack (password spraying)
Another type of brute force attack is called a reverse attack, also known as password or credential spraying. It sends a small pool of passcodes at many user identities and credentials, hoping to find a match.
Credential stuffing is a technique where sets of leaked or stolen credentials are used against several websites. In this attack, the attacker relies on people re-using the same credentials in several accounts, in hopes to gain access to more accounts and more data.
What are the motives for brute force attacks?
Hackers can have different reasons for launching brute force attacks, but the most common motive is money.
By hijacking sessions and hacking websites, attackers collect user data, which they then sell to advertisers or data brokers. If a website was successfully hacked, the adversary may implant their own spam ads or redirect the visitors to their own ads to generate commission, or to phishing sites to steal more credentials.
Some attacks go after user identities, which provide them access to sensitive personal information, bank accounts, or credit cards.
However, some brute force attacks have more sinister goals. Such attacks are part of larger cyberattacks to disrupt business and harm company reputation by shutting down services or spreading malware. This malware often carries out other activities, such as cryptocurrency mining, espionage, or ransomware dropping.
What tools do hackers use to launch brute force attacks?
Hackers use several tools in brute-force attacks.
- Password crackers (or password recovery tools); e.g., John the Ripper (cross-platform) or Cain & Abel (Windows).
- Network mapping tools to discover active hosts and services on a computer network; e.g., Nmap (cross-platform).
- Paralellized login cracking tools; e.g., Hydra (Unix) or Medusa (Linux). These tools are often used in penetration tests that determine how secure IT products and services are.
How do you prevent brute force attacks?
Organizations need several layers of security to defend against brute force attacks.
Use strong and unique passwords
This is the bottom line: use a strong unique password on every account. The more complex the password, the harder it is for the attacker to guess. Password managers give users a handy place to keep their passwords and ensure that they are not put off by the passwords’ complexity.
Enforce multi-factor authentication
Protect your user accounts with multi-factor authentication (MFA). MFA (or 2FA – two-factor authentication) is an authentication method that requires an additional proof of identity on top of the username and password.
It is a relatively simple and inexpensive measure that renders login credentials unusable even if an adversary succeeds in obtaining them.
Limit login attempts, throttling
Limiting the number of login attempts (e.g. by setting up a timeout period after a set number of unsuccessful attempts to log in) makes guessing the password significantly more difficult and time-consuming.
A similar technique is throttling, which artificially increases server response time after e.g. three unsuccessful login attempts. This forces the attacker/bot to wait several seconds between attempts, making them significantly less effective.
Prevention and mitigation
Equally important are prevention and mitigation. You need to monitor user login attempts and spot suspicious behaviors.
Deep network-level encryption also helps, as it reduces the target silhouette of your company, making the end-user a less likely victim of attacks.
Limit access privileges
To reduce impact, you should segment your network by limiting access privileges for individual users, as per the principles of zero trust. This way, a set of compromised credentials will only grant access to some company systems but not to the whole network.
Network detection and response
A powerful defensive mechanism against brute force attacks are network detection and response solutions (NDR), as they can detect an attack by distinguishing between human and machine behavior, and either alert the administrator to the attack or block it themselves (either directly or via cross-platform integration).
In a similar vein, there are dedicated detectors that pick up brute-force attacks and vulnerability scans.
Last but not least, regular awareness training for all employees is paramount – end-users need to understand the importance of strong passwords and MFA, and they need to be trained in their effective use.
Brute force attacks remain an active threat to businesses operating in the online space. Companies working remotely are at an elevated risk of being targeted due to their noticeable silhouette that presents multiple entry points for adversaries to exploit.
Small and medium businesses, which lack enterprise-grade security solutions, should rely on a multi-layered security approach consisting of strong passwords, multi-factor authentication, network encryption, and zero-trust network access, at the very least.