Read on to learn about a simple but widely used form of hacking that consists of guessing a combination of login information.
How do brute force attacks work?
A brute force attack is a hacking method that hackers use to guess passwords, login details and encryption keys. It is a simple but effective way to gain unauthorised access to individual accounts and organisations' systems and networks. The hacker typically tries out multiple usernames and passwords, often using a computer to test numerous combinations, until the hacker finds the correct credentials.
Types of brute force attacks
There are different types of brute force attack methods that allow cyber criminals to gain unauthorised access and steal user data.
Simple brute force attacks
A simple brute force attack occurs when a hacker attempts to guess a user's login credentials manually without using any software. This is typically through possible combinations of standard passwords.
These attacks are simple because many people still use weak passwords or practice poor password etiquette, such as using the same password for multiple websites. Passwords can also be guessed by hackers doing minimal reconnaissance work to guess a person's password, such as the name of their favourite sports team or pet.
A dictionary attack is a basic method of brute force hacking where the hacker selects a target and then tests possible passwords against that person's username. The attack method itself is not technically considered a brute force attack, but it can play an important role in the hacker's password cracking process.
The name "dictionary attack" comes from hackers who use dictionaries and modify look-up words with special characters and numbers. This type of attack can take a long time and has a low chance of success compared to newer, more effective attack methods.
Hybrid brute force attacks
A hybrid brute force attack is when an attacker combines a dictionary attack method with a simple brute force attack. It starts with the hacker knowing a username and then performing a dictionary attack and simple brute force methods to find a login combination.
The hacker starts with a list of potential words and then experiments with character, letter and number combinations to find the correct password. This approach allows hackers to discover passwords that combine common or popular words with numbers, years or random characters.
Reverse brute force attack
In a reverse brute force attack, the hacker begins the process with a known password, which is typically discovered through a data breach. The hacker uses this password to search for matching login credentials using lists of millions of usernames. Hackers can also use a commonly used weak password to search through a database of usernames for a match.
Credential stuffing exploits users' weak password labels. Hackers collect username and password combinations they have stolen, which they then test on other websites to see if they can gain access to multiple user accounts. This approach is successful if people use the same username and password combination or reuse passwords for different social media accounts and profiles.
Why do hackers perform brute force attacks?
Brute force hacking requires a lot of patience because it can take months or even years for a hacker to crack the password or encryption key.
Exploitation of advertising or activity data
A hacker can launch a brute force attack on a website or multiple websites to make money from advertising. Common methods include:
- Placing spam ads on popular websites, allowing the hacker to make money every time an ad is clicked on or viewed by a visitor.
- Redirecting traffic to a legitimate website to illegal ad sites.
- Infecting a website and website visitors with malware, such as spyware, that tracks user activity. The data collected is then sold to advertisers without the user's consent.
Stolen personal data
Hacking into a user's personal accounts can yield very valuable data, from financial details and bank accounts to confidential health information. Access to an account allows a hacker to forge a person's identity, steal their money, sell their credentials to third parties or use the information to carry out other attacks.
Personal data and credentials can also be stolen through corporate data breaches, where hackers gain access to organisations' sensitive databases.
Brute force hacking is often not personally. A hacker may simply want to create chaos and showcase their malicious skills. They may do this by spreading malware via email or SMS messages, hiding malware on a fake website designed to look like a legitimate site or by redirecting website visitors to fake sites.
By infecting a user's computer with malware, the hacker can then enter connected systems and networks and carry out major cyber attacks against organisations.
Observing systems to malicious activity
Brute force hacking can make hackers launch larger attacks using multiple devices, called a botnet. This is typically a distributed denial-of-service (DDoS) attack that aims to overload the target's security defenses and systems.
Damage the reputation of a company or website
Brute force attacks are often used as an attempt to steal data from an organisation, which not only hits them financially but also causes huge reputational damage. Websites can also become a target for attacks that infect them with offensive text and images, thereby degrading their reputation, which can lead to their website being removed.
Brute force attack tools
Guessing a user's email or social media password can be a time-consuming process, especially if accounts have strong passwords. To simplify the process, hackers have developed software and tools to help them crack passwords.
Brute force attack tools include password cracking applications, which crack username and password combinations that would be extremely difficult for a person to crack on their own. Commonly used brute force attack tools include:
- Aircrack-ng: A group of tools that assess Wi-Fi network security to monitor and export data and attack an organization through methods such as fake access points.
- John the Ripper: An open source password recovery tool that supports hundreds of cipher and hash types, including user passwords for macOS, Unix and Windows, database servers, web applications, network traffic, encrypted private keys and document files.
These types of software can quickly guess combinations that identify weak passwords and crack multiple computer protocols, wireless modems and encrypted storage devices.
Brute force attacks can also require enormous amounts of computing power. To combat it, hackers have developed hardware solutions that simplify the process, such as combining a device's central processing unit (CPU) and graphics processing unit (GPU). Adding the computer core to the GPU allows a system to process multiple tasks simultaneously, and hackers can guess passwords significantly faster.
How to prevent brute force attacks
Individuals and organisations can use several tactics to protect themselves from brute force attacks.
Use stronger passwords
The best way to defend against brute force attacks targeting passwords is to make passwords as difficult as possible to crack. End users have a key role in protecting their and their organisation's data by using stronger passwords and following best practice for passwords. This will make it harder and more time consuming for hackers to guess their passwords, which can lead to them giving up.
Best practice for stronger passwords includes:
Create strong passwords with more characters: A basic rule of thumb is that passwords should be more than 12 characters and contain upper and lower case letters, symbols and numbers. This greatly increases the difficulty and time it takes to crack a password from a few hours to several years, unless a hacker has a supercomputer at hand.
Use extensive passphrases: Although it is good password practice to use multiple characters, some websites may have restrictions on the length of a password. Therefore, use complex passphrases to prevent hackers from succeeding with simple dictionary attacks. Passphrases are multiple words or segments with special characters that make them harder to guess.
Create rules for password construction: Another good password tactic is to shorten words so that they appear incomprehensible to others who read them. This can be done by removing vowels or using only the first two letters of words and then building a sentence that makes sense out of a string of shortened words. For example, shortening the word "hope" to "hb" or "blue" to "bl".
Avoid common passwords: Frequently used passwords, such as a name, a sports team or simply "password", are extremely risky. Hackers know the most common words or phrases that people use in their passwords, and implement tactics based on these common words to hhack into people's accounts.
Use unique passwords for each account: Through credential stuffing, hackers can test passwords that have been used on websites to check if they are being used elsewhere. Unfortunately, this is proving very successful as people often reuse their passwords for email accounts, social media profiles and news websites. It is important never to use the same password for two websites or accounts.
Use password managers: A password manager makes it easier for people to create secure, unique passwords for all the websites they log in to. It automatically creates and tracks users' logins to multiple sites, allowing the user to access all their accounts by simply logging into the password manager. With a password manager, users can create long and complex passwords, store them securely and not risk forgetting, losing or having passwords stolen.
Improve user password protection
There is no point in users following password best practice if their organisation is unable to protect their data from brute force attacks. It is also incumbent on the organisation to protect its users and strengthen network security through tactics such as:
High encryption rates: Encrypting system passwords with the highest available encryption rates, such as 256-bit, reduces the chances of a brute force attack succeeding and makes passwords harder to crack.
Salting the hash: Salting the hash is a cryptographic tactic that allows system administrators to strengthen their password hash. They add a salt - random letters and numbers stored in a separate database - to a password to strengthen and protect it.
Use multi-factor authentication (MFA): When you add authentication to a user login, you remove the dependency on passwords. With MFA, after a user logs in with their password, they will be asked to provide additional proof that they are who they say they are, such as a code sent via SMS or on their device or a fingerprint scan. This can prevent a hacker from gaining access to a user's account or business system, even if they have the user's login details.
Limit login attempts: Limiting the number of times a user is able to enter their password information reduces the success rate of brute force attacks. Preventing a second login attempt after two or three failed logins can deter a potential hacker, while locking an account completely after multiple failed login attempts prevents the hacker from repeatedly testing username and password combinations.
Use CAPTCHA to support logins: Adding a CAPTCHA box to the login process can prevent an attacker from using computers to brute force their way into a user account or business network. CAPTCHA options include entering text images that appear on the screen, highlighting multiple image fields, and identifying objects that appear.
Use an Internet Protocol (IP) blacklist: Implementing a blacklist of IPs used in attacks helps protect a business network and its users from known hackers. It is important to keep this blacklist updated to prevent new attacks.
Remove unused accounts: Unused or unmaintained accounts offer an open door for cybercriminals to launch an attack against an organization. Companies should ensure that they regularly remove unused accounts or, ideally, remove accounts as soon as employees leave the organisation to prevent them from being used in a brute force attack. This is particularly important for employees with high-level permission status or access rights to sensitive company information.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.