What Is a Brute-Force Attack?
Brute-force is a hacking method that uses trial-and-error password guessing. It relies on software to automatically go through millions of different common passwords in hopes of getting lucky. Once the brute-force attack is successful, the hacker can use that access to steal data, empty bank accounts, install malware, or sell the password to other hackers on third-party markets.
What Are the Types of Brute-Force Attacks?
1. Knowledge-Based Attacks
This attack leverages information gathered about a user from online sources or social engineering, attackers combine the user’s data to guess their password. Phishing or spear phishing emails are often used to gather this data.
2. Dictionary Attacks
Users often use simple words or phrases to form their passwords. A dictionary attack relies on commonly used words and phrases to guess a user’s password.
3. Credential Stuffing
To make it easier to recall their passwords, users often recycle their credentials. Credential stuffing takes advantage of this practice by using stolen passwords from one site to access another.
4. Reverse Brute Force
Instead of guessing passwords for a given username, a reverse brute-force attack starts with a common password, like “12345” or “password,” and attempts to guess the username.
5. Hybrid Attacks
Combining knowledge about the intended target and dictionary words and phrases, attackers attempt to guess user passwords. For example, if they know the user’s birthday and partner’s name, they may combine that information to guess their password.
Why Do Brute-Force Attacks Work?
Brute-force password attacks succeed when an organization’s password policy does not require complex passwords and attackers deploy tools to mount a sustained attack—typically using bots to create and enter a never-ending stream of password guesses.
In such circumstances, it’s often just a question of time before the bad actor’s bot succeeds. A seven-character password would, at a rate of 15 million key attempts per second, take 9 minutes to crack. However, many applications are now requiring longer, more complex passwords, which are exponentially harder to crack. In addition, it’s a low cost to the hacker to attempt this kind of attack.
The longer an attacker remains undetected, the more attempts they can make to breach an organization’s defenses. If an organization can’t detect and flag unsuccessful logins within a short period, logins from unknown IP addresses, and logins from new locations, the chance of a successful brute-force attack increases significantly.
Why Are Brute-Force Attacks Used?
Brute-Force attacks are step one in an attack. Once access is granted, a hacker can deploy malware, launch a ransomware attack, steal data for financial gain, or wreak havoc in other ways.
Brute-Force Attacks and Botnets
Brute-Force attacks are often conducted by bots and botnets. These bots can continuously try to crack the password at a frequency and speed incapable by humans. That is why simple passwords are often cracked so fast — thousands of bots are trying at once.
Example of a Brute-Force Attack
In 2020, the Canadian Revenue Agency found themselves on the receiving end of a brute-force password attack. The resulting damage included 11,000 compromised accounts. The hackers utilized previously stolen credentials and executed a credential stuffing attack. The attack forced the service to temporarily shut down, and the compromised accounts were linked to the GCKey portal, a system used by 30 federal departments.
How Do You Defend Against a Brute-Force Attack?
Enforce the Use of Lengthy and Complex Passwords
The longer and more complex a password is, the more time and computing power it takes bad actors to guess it. Consider requiring passwords of 8 to 12 characters for all users. The use of upper- and lower-case letters and special characters can add additional complexity and challenges for an attacker to overcome. Complex ones that include diverse character types can take years to crack by brute force for even the most powerful computing infrastructure.
Deploy Multi-Factor Authentication
If an attacker guesses a user’s login credentials, all is not lost. They are still thwarted if you require that the user inputs additional information, such as a one-time password sent to their phone or email. Other forms of multi-factor authentication include relying on biometrics, such as face scans or fingerprints. The key factor is adding that extra layer of identification to your organization’s defenses, which stops a brute-force attack before it can do any damage.
Cap the Number of Failed Login Attempts
Consider limiting the number of failed logins from a single IP address, (Note this is the default for many applications). Some organizations only allow three failed attempts before blocking new attempts; others allow up to five. If a user hits the cap, some businesses also limit additional logins until the user restores their access rights via a phone call. Other companies allow for additional attempts 15 to 30 minutes later, which is less secure but more user friendly. These capping measures stop bots which may try to run continuous attacks on a single login page.
Brute-force attacks often involve bots. Requiring a CAPTCHA — a challenge–response protocol to verify that a visitor to a site is human — can stop attacks. Regardless of the method of CAPTCHA deployed, adding this layer can prevent bots from running a script, forcing the human threat actor to intervene. You can require a CAPTCHA at the initial login or when attempts reach a certain threshold, which may indicate an automated login attempt.
Security measures to combat brute-force attacks inconvenience users and potentially trigger resistance, so make sure users understand the potential ramifications of an attack and why the security measures are prudent and appropriate. Increasing employees’ awareness of the threat will also make them more alert and increase the likelihood that they will report any suspicious activity that might be connected to an attack.
Employee education plays an important role in combating brute-force attacks, as their buy-in is necessary to adopt and comply with minimally invasive yet critical cybersecurity protocols.
How Arctic Wolf Can Help
Learn how a robost training program can help employees defend against brute-force attacks.
Understand how a 24×7 monitoring and detection program can stop a brute-force attempt before it becomes a data breach.