Brute-Force Attacks and How to Defend Against Them
Kris Kilgard, Division President of Locknet Managed IT.
What are brute-force attacks?
The name “brute force” comes from attackers using excessively forceful attempts to gain access to user accounts. Despite being an older cyberattack method, brute-force attacks remain a popular tactic with hackers.
In its simplest form, a brute-force attack uses trial and error to combine different variations of symbols or words until the correct password is guessed. While this isn’t the most efficient type of attack for hackers, it can still work for them to gain access. Don’t think about it as one person poking on a keyboard to come up with new password combinations. Instead, with specialized software, hackers can automatically attempt millions of passwords per second.
Once a hacker forces their way in, they will use their access to exploit digital advertising, steal data, hold data ransom, spread malware, or hijack systems.
Types of brute-force attacks
- Knowledge Based – This is also called a simple brute-force attack. An attacker will guess a user’s password by entering a combination of values using known information about the targeted user. This is done without additional software and can be done with information about the targeted user found online or from a social engineering attack. These attacks are “simple” because many people still use weak passwords, such as “password 1234” or have poor password practices, such as using the same password for multiple websites.
- Dictionary – This is a basic form of brute-force hacking in which the attacker selects a target, then tests possible passwords against that individual’s username. It’s called a “dictionary attack” because hackers run through dictionaries and amend words with special characters and numbers, utilizing common passwords downloaded from the internet.
- Hybrid – A hybrid attack uses a combination of simple and dictionary methods. Attackers combine their knowledge about the targeted user with dictionary words and phrases. This method uses private information such as the user’s birthday combined with a common or popular word.
- Credential Stuffing – This type of attack also preys on users’ weak password practices. Users often use the same passwords across several sites. An attacker who gains access to user passwords on one site will try the same ones on other sites, accounts, or social media profiles.
- Reverse Brute Force – This method takes a known password, usually discovered through a network breach, and automatically submits it to an application until a username is found. Attackers who use this method often download a list of stolen passwords from the dark web and apply them to user accounts to find a credential match.
How to prevent brute-force attacks
Several strategies are available to prevent and detect brute force attacks. They are focused primarily on having better password practices in your workplace.
- Use Lengthy and Complex Passwords – A strong rule of thumb is that passwords should be 15 to 64 characters in length and include capital and lowercase letters, symbols, and numbers. Use multiple word passphrases to prevent attackers from succeeding with simple dictionary attacks. And always use unique passwords for every account.
- Two Factor Authentication – Should an attacker successfully brute force a password, having two factor authentication would stop successful authentication on the account.
- Limit the Number of Failed Login Attempts – Limiting the number of times a user can re-enter their password credentials reduces the success rate of brute-force attacks by stopping the hacker from repeatedly testing username and password combinations.
- Require CAPTCHA – Adding a CAPTCHA box to the login process can prevent an attacker from using bots to brute force their way into a user account or business network. CAPTCHA options include typing text images that appear on the screen, checking multiple image boxes, and identifying objects that appear.
- Educate Employees – Make sure users in your organization understand the potential ramifications of a brute-force attack and why security measures and good password practices are important.
Improving your password practices
The likelihood of a brute-force attack succeeding increases significantly when the attacker can submit unlimited guesses, when weak passwords are permissible, and when additional challenges are not required to complete a login. The team at Locknet Managed IT has multiple avenues to help with your password security. Download their Desktop Guide to Strong Passwords to get started. Then, work with their team to layer on additional services like multi-factor authentication, password manager, and security awareness training for your employees. Contact the team at Locknet to learn more.