By Jeffrey Wheatman

A brute force attack, unlike many cybersecurity terms, is exactly what it sounds like. There is no subtlety, subterfuge, misdirection or sleight of hand here. But also, no one’s throwing physical punches.

A brute force attack is an attack in force against someone’s secret – usually a password. The goal is to gain access to the password; the attack involves throwing as many attempts at the system as possible, in as short a time as possible, with the hope of guessing correctly.

They are invariably automated – for perspective, there are more than 208 billion combinations of passwords using a basic 8 letters, and the number climbs rapidly when you add upper and lower, numbers, and special characters – imagine having to type all those passwords by hand.

The mechanism is fairly simple. Try password after password really really fast until you get the right one. One twist is if the attacker(s) can gain access to the file where all the passwords are stored, they can run the attack offline on all accounts at the same time – kind of like the difference between stealing a car from someone’s house (one car that some uses regularly) vs. stealing one from the airport parking lot (lots of cars that probably sit for a while).

What Does a Brute Force Password Attack Usually Look Like?

There are a number of approaches that can be used, but ultimately attackers make a tradeoff. In order of length of time to run the whole range of guesses – dictionary attacks use:

  • common words
  • hybrid-use common words with some common substitutions (subbing ‘1’ for ‘l’ as an example – elite becomes 31it3)
  • full-on brute force which runs through all combinations (aaaaaa, aaaaab, aaaaac … ZZZZZZZ). The more complex passwords, the longer it takes – a 16 character password with full complexity would take on average 438 trillion years to crack using current computing power

Passwords Nearly Always Contain Familiarity to the User

And don’t forget– many people create passwords from things near to them: names of spouses, kids, pets, birthdate, addresses, and phone numbers. This decreases the number of attempts the hacker has to make.

What Other Techniques Can Be Used by Threat Actors?

Systems don’t usually store the passwords, they store codes called hashes (the password is subject to a set of steps [a>d, b>e, etc]). This approach is not reversible [you can’t go backwards] but it is repeatable, meaning “password” always gets hashed as &^%$#$. If you were able to access the password file, aka the parking lot, you could pre-compute all the hashes and use the result to ‘reverse’ the process. In other words, if ‘password’ becomes ‘&^%$#$’, and you see ‘&^%$#$’ in the file, you know the password is ‘password.’

A relatively new attack is credential stuffing. Since there have been so many breaches, it’s likely that every username password combo is out there already. Attackers know that many people use the same passwords in many locations. The attackers take those user name/password combinations and try them on other sites, hoping you use the same or similar passwords. If so– bingo, they are in without having to brute force billions of passwords.

Why Bother Doing a Brute Force Attack?

Ultimately, the goal of attackers is financial. Account access gives access to money, which can be stolen. Systems can then be used to run software attackers can use to attack others, plus data can be sold.

What Tools Do Hackers Use to Complete the Attack?

The tools are pretty standard and have been around for a long time. Mostly, they are scripts: small pieces of software that do the same thing over and over. In this case, putting usernames and passwords into websites and other systems. They can usually be configured to try different approaches, and they often have cool or funny names: Gobuster, BruteX, Dirsearch, Callow, SSB, Thc-Hydra, Burp Suite, Patator. But at the end of the day, they are automation tools.

How Can One Prevent Brute Force Attacks?

As an end user you can do a bunch of things: First of all, use complex passwords – use long passwords and use upper, lower-case letters, numbers, and special characters in your passwords. Use different passwords for every site – yes, I know it’s annoying. For sites where they provide multifactor authentication (MFA), use it. MFA adds an extra layer of security. It often uses a code or a physical device in addition to your password for login.

For companies, set up strong password policies, offer (and require) MFA, set up account lockouts for excessive number of login attempts.

Together we can put controls in place to at least decrease our risk of attacks, specifically brute force attacks! (And protect the nose with those fists).