Brute force attacks

In this article, we explore brute force attacks. You’ll learn how these attacks work, see real-world examples, and discover effective strategies to protect yourself and your organization from cybercriminals.

Table of Contents

• How does a brute force attack work? 
• Why brute-force attacks are dangerous
• How password length determines the success of brute-force attacks
• 5 effective ways to protect against brute-force attacks

How does a brute force attack work? 

A brute-force attack is a trial-and-error method used to obtain information such as passwords or other access codes. Here, the attacker tries a variety of possible combinations of characters with the help of software to find the desired character sequence that will give them access to sensitive, partially encrypted data.

Brute force attacks can be used to launch a host of malicious activities, such as harvesting data, spreading malware and ransomware, diverting website traffic, and more. While brute force attacks have existed for many years, they’ve grown more sophisticated with the aid of software that enhances the speed and accuracy of this kind of attack. 

Attacks based on brute-force basically have an unconventional and redundant attack pattern; however, they are still widely used by cybercriminals today. The trick behind a brute-force attack is to exploit the vulnerabilities in password management caused by the user or admin.

Why brute-force attacks are dangerous

Theoretically, every string can be identified by a brute-force attack depending on the strength of the associated security strategy. This refers to certain access restrictions, like for example, limiting the number of entries. Alternatively, in case of many incorrect login attempts, further entries could be refused for a certain period of time.

Brute-force attacks can be implemented much faster without such security mechanisms in place. The two factors that basically determine the success of such an attack are the time available and the capabilities of the attacker’s hardware, which is largely responsible for the speed of the attack. Common protections against brute force attacks include anti-virus software, anti-phishing solutions, anti-malware and ransomware solutions, good cyber hygiene, and user awareness training.

This method of attack, which some experts have described as redundant, is used increasingly by internet criminals. It is used to attack FTP hosts, ports and clients with an active release function for the remote desktop. In this case, a flood of attacks can be initiated in automated form. The attacker only has to define the framework conditions by specifying parameters.

How password length determines the success of brute-force attacks

The weakness lies in the password length. Most users are simply negligent when choosing their password combination. This is especially true for setting passwords for remote access. Often and for whatever reason, shallow as well as simple combinations of characters are chosen here in the form of names, dates of birth or strings of keyboard shortcuts. Users who do so, put themselves at a high security risk. Short password combinations of a four- to six-digit character length are particularly affected.

This example illustrates the relevance of the password length which every user should consider. The decryption time of the attacking software increases with an increased password length. The same applies to the additional use of large and small letters as well as numbers and special characters. It therefore seems advisable to use password keys that have more than 32 characters. For example, lengths of 256 and 512 bits are common. Here, the level of difficulty on the attacker’s side is significantly higher than with a shorter-length string.

5 effective Ways to protect against brute-force attacks

Those who follow basic safety recommendations as a company will already create a first layer of protection against external attacks. In addition, however, it is strongly advised to supplementary integrate a professional tool for data security.

• Limit wrong entries
  
  Brute-force attacks can be effectively countered by restricting and slowing down the attacker in his actions. As already stated, attacks of this kind always follow the same pattern. However, it should be noted that many brute-force attacks could be contained by very simple precautionary measures.
  
  This refers for example to a protection mode that blocks the user’s account if there are many incorrectly entered access codes. Here we recommend a coupling of the lock to a successive extension of the time interval. Above all, you are reacting to the steadily increasing performance of computer capacities, which are naturally also used by cyber criminals.
  
  This enables cybercriminals to find out passwords in moderately protected systems within a few minutes or even seconds. The creation of a lock results in a significant delay in brute-force attacks. Blocking the attack attempts as a whole is not possible
  
  However, this is not always a useful measure. Recklessly caused lockouts of user accounts can cause additional expenses in the administration of a corporate network. Here, it is important to find a middle ground and determine whether this approach seems appropriate in terms of protection for the company’s own infrastructure.
• Use strong password combinations
  
  In contrast, the option of creating strong access codes characterized by a certain complexity for the user accounts in advance seems simple. As a rule, the access code should not be a combination of words that appear in the dictionary, such as the Duden or the Cambridge Dictionary. This prevents the so-called dictionary attacks which are based on the successive processing of a word list in a brute-force attack.
• Find alternatives to traditional passwords
  
  Another way to reduce brute-force attacks is to give up access codes in the form of passwords. Alternatively, you could think about the use of tokens or OTPs. Using so-called one-time passwords completely prevents replay attacks in which attackers fake their identity. In a broader sense, this means that each subordinate authentication requires the generation of an additional OTP.
• Use multi-way authentication
  
  The token solution is a two-factor authentication, also known as 2FA. This security measure is commonly used for banking transactions. In addition to the conventional login, another security level is added to make a transfer.. This is possible with a SMS transfer code via smartphone or an mTAN generator. Another possibility is a Turing test, which provides information on whether it is a human or computer-controlled input. This form of protection is also known as captcha.
  
  Once hackers gain unauthorized access to an account, they can launch insider attacks through phishing campaigns, spear phishing attacks, and other email-borne threats. That’s why your organization should adopt AI-threat detection and response technology, which enables you to limit the consequences of a compromised account.  
• Abstraction of standard structures
  
  If the security relates to a login area of an attached CMS, it is important to not adopt directory structures specified by the manufacturer, but to individualize them. This ensures that attackers cannot immediately find directory paths for the admin area.
  
  It is also possible to only give pre-defined IP addresses access to the respective admin area. Furthermore, it’s also recommended to individualize user names outside of a CMS. Login names such as “User” or “Admin” should generally be avoided.