What is a brute force attack? | Definition, types and operation (2023)

A brute force attack is a hacking method that uses trial and error to crack passwordsaccess dataand encryption key. It's a simple yet reliable tactic to gain unauthorized access to individual accounts and organizational systems and networks. The hacker will try multiple usernames and passwords, often using a computer to try a variety of combinations until the correct credentials are found.

The name "brute force" comes from attackers who use excessive force to try to gain access to user accounts. Despite being an old method of cyber attack, brute force attacks are tried and tested and remain a popular tactic among hackers.

A simple brute force attack occurs when a hacker attempts to manually guess a user's credentials without using any software. This is usually done using standard password combinations or PIN (Personal Identification Number) codes.

These attacks are easy because many people still use weak passwords like "password 123" or "1234" or practice poor password etiquette, such as using the same password for multiple websites. Passwords can also be guessed by hackers who do minimal reconnaissance to crack someone's potential password, such as the name of their favorite sports club.

A dictionary attack is a basic form of brute force hacking in which the attacker chooses a target and then tries possible passwords against that person's username. The attack method itself is not technically considered a brute force attack, but it can play an important role in an attacker's password-cracking process.

The name "dictionary attack" comes from hackers who search dictionaries and modify words with special characters and numbers. This type of attack is typically time-consuming and has little chance of success compared to newer and more effective attack methods.

In a hybrid brute force attack, a hacker combines a dictionary attack method with a simple brute force attack. It begins when the hacker knows a username, then performs a dictionary attack and simple brute force methods to discover an account-login combo.

The attacker starts with a list of possible words and then experiments with combinations of characters, letters and numbers to find the right password. This approach allows hackers to discover passwords that combine common or popular words with numbers, dates, or random characters, such as For example, "SanDiego123" or "Rover2020".

A hacker can launch a brute force attack on a website or multiple websites to make a financial profit from the advertising fee. Common methods include:

1. Placing spam ads on popular websites, which allows the attacker to earn money each time a visitor clicks or views an ad.
2. Redirect traffic from legitimate websites to illegal commissioned ad pages.
3. Infecting a website and website visitors with malware, such as spyware, that tracks activity. The collected data is then sold to advertisers without the user's consent.

Hacking a user's personal accounts can yield a treasure trove of data, from financial records and bank accounts to sensitive medical information. Access to an account allows an attacker to spoof someone's identity, steal their money, sell their credentials to third parties, or use the information to launch broader attacks.

Personal data and credentials can also be stolen through corporate data breaches, which allow attackers to gain access to companies' sensitive databases.

Brute force attacks are often not personal. A hacker might just want to wreak havoc and show off their malicious skills. They can do this by proliferating malware via email or Short Message Service (SMS) messages, hiding malware in a fake website that looks like a legitimate website, or by redirecting website visitors to malicious websites.

By infecting a user's computer withMalware, the attacker can penetrate connected systems and networks and launch broader cyberattacks against organizations.

Guessing the password for a user's email address or social networking site can be a slow process, especially if the accounts have strong passwords. To make the process easier, hackers have developed software and tools to help them crack passwords.

Brute force attack tools include password cracking applications that crack username and password combinations that would be extremely difficult for a person to crack himself. Commonly used brute force attack tools include:

1. Aircrack-ng - A set of tools that assess the security of Wi-Fi networks to monitor and export data and attack an organization through methods such as rogue access points and packet injection.
2. John the Ripper – An open-source password recovery tool that supports hundreds of encryption and hash types, including macOS, Unix, and Windows user passwords, database servers, web applications, network traffic, encrypted private keys, and document files.

These types of software can quickly guess combinations that identify weak passwords and crack multiple computer protocols, wireless modems, and encrypted storage devices.

A brute force attack can also require large amounts of computing power. To counter this, hackers have come up with hardware solutions that simplify the process, such as: B. the combination of the central processing unit (CPU) and the graphics processing unit (GPU) of a device. The addition of the GPU processing core allows a system to process multiple tasks simultaneously and allows hackers to crack passwords much faster.

The best protection against password brute force attacks is to make passwords as hard to crack as possible. End users play a key role in protecting their data and that of their organization by using stronger passwords and following strict password best practices. This makes it harder and slower for attackers to guess your passwords, which can cause them to give up.

Best practices for stronger passwords include:

1. Create strong, multi-character passwords: As a rule of thumb, passwords should be longer than 10 characters and contain uppercase and lowercase letters, symbols, and numbers. This greatly increases the difficulty and time it takes to crack a password from a few hours to several years unless a hacker has a supercomputer handy.
2. Use Fancy Passphrases – While using more characters in passwords is good practice, some websites may have restrictions on how long a password can be. Therefore, use complex passphrases to prevent attackers from being successful with simple dictionary attacks. Passphrases are multiple words or segments of special characters that make it difficult to guess.
3. Create rules for creating passwords: Another good password tactic is to shorten words to make them look nonsensical to other people reading them. This can be achieved by removing the vowels or using only the first two letters of words and then forming a meaningful sentence from a series of abbreviated words. For example, shorten the word "hope" to "hp" or "blue" to "bl".
4. Avoid common passwords: Commonly used passwords such as name, sports team, or just "password" are extremely risky. Hackers know common words or phrases people use in their passwords and implement tactics based on those common words to hack into people's accounts.
5. Use unique passwords for each account: Credential Stuff lets hackers test passwords used on websites to see if they're used elsewhere. Unfortunately, this is proving very successful as people often reuse their passwords across email accounts, social media profiles, and news websites. It's important to never use the same password for two websites or accounts.
6. Use Password Managers: A password manager makes it easy for users to create strong, unique passwords for any website they log into. Automatically creates and tracks user logins across multiple websites, allowing the user to access all of their accounts simply by logging into the password manager. With a password manager, users can create long and complex passwords, store them securely and don't risk forgetting, losing or having them stolen.

There's little point in users following strong password best practices if your organization can't protect your data from brute force attacks. The responsibility also falls on the organization to protect and empower its usersnetwork securityThrough tactics like:

1. Use high encryption rates - Encrypting system passwords with the highest encryption rates available, such as B. 256 bit, limits the chances of success of a brute force attack and makes it more difficult to crack passwords.
2. Salt the Hash: Salt the Hash is a cryptographic tactic that allows system administrators to strengthen their password hashes. They add a salt (random letters and numbers stored in a separate database) to a password to strengthen and protect it.
3. Use multi-factor authentication (MFA): When you add authentication to a user's login, you remove the dependency on passwords. With MFA, after a user logs in with their password, they must provide additional proof that they are who they say they are, such as a passport. B. a code sent via SMS or on their device or a fingerprint scan. This can prevent a hacker from gaining access to a user's account or trading system, even if they have the user's credentials.
4. Limit login attempts - Limiting the number of times a user can re-enter their password credentials reduces the success rate of brute force attacks. Avoiding another login attempt after two or three failed login attempts can deter a would-be attacker, while immediately locking an account after numerous failed login attempts prevents the hacker from repeatedly trying out name combinations, username and password.
5. Use CAPTCHA to support logins - Adding a CAPTCHA field to the login process can prevent an attacker from using computers to enforce a user account or corporate network. CAPTCHA options involve entering text images that appear on the screen, checking various image boxes, and identifying the objects displayed.
6. Use an Internet Protocol (IP) blacklist - Implementing a blacklist of IP addresses used in attacks helps protect a corporate network and its users from known attackers. It is important to keep this blacklist up to date to prevent new attacks.
7. Delete unused accounts – Unused or unmaintained accounts provide an open door for cybercriminals to launch an attack on an organization. Businesses should ensure they regularly delete unused accounts, or ideally delete accounts as soon as employees leave the company to prevent them from being used in a brute force attack. This is especially important for employees with high-level privileges or access rights to sensitive company information.

In addition to user awareness and strong IT security, companies must ensure that systems and software are always up to date and provide continuous support to employees.

1. Provide password training: It's important for users to understand password security, best practices, and the telltale signs of cyberattacks. They also need training and regular updates to stay abreast of the latest threats and reinforce best practices. Corporate password management tools or vaults also allow users to store complex passwords and eliminate the risk of losing their passwords, which could compromise corporate data.
2. Monitor networks in real-time: Brute force attacks can be detected through detective activity such as multiple login attempts and logins from new devices or unusual locations. Businesses must constantly monitor their systems and networks for suspicious or unusual behavior and immediately block potentially malicious activity.

Encryption is a cybersecurity tactic that scrambles data so that it appears as a series of random characters. The correct encryption key decrypts the data.

A 128-bit encryption key would require two to the power of 128 to crack, which is impossible for most powerful computers. Most websites and web browsers use it. 256-bit encryption further strengthens data protection to the point that even a powerful computer capable of checking trillions of combinations every second would never crack it. This makes the 256-bit encryption completely immune to brute force attacks.

Fortinet protects companies against brute force attacksfortiwebWeb Application Firewall (WAF). FortiWeb protects mission-critical web applications from advanced attacks targeting known vulnerabilities and zero-day attacks. The solution keeps pace with the rapidly evolving security landscape, ensuring organizations stay secure as new features and updates are released or new application programming interfaces (APIs) are released.

FortiWeb also enables organizations to identify unusual or anomalous behavior and distinguish between malicious and benign behavior. read oursGuide to Preventing Brute Force Attacksvia FortiWeb for more information.