Brute Force Attack
Brute force attack is the crack of credentials using all possible combinations by trial-and-error method until the password is guessed correctly. As the number of possible combinations which the attackers need to test depends on the length and complexity of the passwords, automation tools and scripts are usually employed. Brute force attack is mostly performed by bots nowadays.
Upon successfully cracking the passwords, attackers can get access to the system and perform other malicious activities such as exhausting the resources of the system, harvesting personal and sensitive data for selling, imitating legitimate users to launch phishing attacks, spreading malware to infect more systems, etc.
Simple brute force attack is simply to guess all possible passwords. This attack method works on weak passwords such as “123456”, “111111” and “abcdef”, etc. The common and yet weak passwords are published regularly and can easily be brute forced.
Dictionary attack tries to guess the password by using combinations of words and phrases from the dictionary. Launching dictionary attack manually is not realistic due to the massive amount of the combination of words. Tools are usually involved to accelerate the process. Enhanced features in the tools like interchanging similar characters such as “l” and “1”, “O” and “0”, “a” and “@” can be found nowadays to increase the prediction successful rate.
Hybrid brute force attack is the combination of simple brute force attack and dictionary attack. Based on the words or passphrases in dictionary, attackers may enhance their guesses by adding patterns similar to that of simple brute force attack. A common combination will be numbers. People tend to add number at the end of password which is significant to them like birthday, birth year or anniversary date such as “password1990” or “picture0531”. Attackers may also enhance the list of words in their dictionary by incorporating some popular objects. These words may vary with time or region. Examples include cities, sports teams and idols, etc.
Reverse brute force attack begins with running a known password against numerous possible user names. The known passwords are those commonly used by the people or those leaked from data breaches.
Attackers use known user name-password pair, collected by previous data breaches, to try to login to other systems. This approach targets users who re-use the same user name and password across multiple systems and services.
Brute force attack is usually the first step for an attacker to get unauthorised access to the target system. Subsequently other adversary actions can be performed and the followings are some possible impacts that may be inflicted upon the victims:
If you are notified via email or SMS by the service providers that a login attempt has been detected in location or at time which you cannot recognise, this is a sign that someone is trying to brute force their way into your account and you should change your credentials or enable multi-factor authentication immediately if available.
For system administrator:
To get notified of a brute force attack timely, the following conditions of the systems should be monitored as it can be a signal of alert:
A simple but effective way to defend against brute force attack is to set a strong password. The longer and more complex the password, the stronger it is. Creating a long password with the combination of upper and lower case letters, numbers and symbols will increase the difficulty of brute force attack. Besides, you should avoid using a dictionary word and should not include your personal information such as birthday, birth place and name in your password.
It is always a good practice to use different passwords for different services. If one of your passwords is unfortunately breached, at least your other accounts will be safe from credential stuffing attack.
Multi-factor authentication adds an additional line of protection to your accounts. Commonly used authentication methods other than passwords include one-time password, token and biometric authentication (fingerprint or facial recognition). Even if the attackers have successfully brute forced your password, they cannot get access to the system without passing the other authentication methods.
For system administrator:
Accounts should be locked after a certain number of failed logins to prevent unlimited trials. Unlocking the locked accounts should be performed by the system administrator after a proper authentication check with the user. If locking accounts is not feasible in some systems, compensation measures should be considered and implemented. Alternatives can include introducing locking timers after several failure logins. This can at least delay the brute force attack.
Captcha works by requesting the login user to perform actions which only human will be able to do. Examples include identifying distorted letters and numbers, recognising objects in the images, ticking checkbox, etc. Embedding captcha in the login systems can help differentiate between a human user and an automated robot, which can eliminate the use of bots to initiate brute force attack.
Restricting the IP addresses within a specified range to login to the system can prevent unwanted IP addresses from getting access to the system.
Providing different URLs for each user or groups of users may delay the pace of brute force attack and hence increase the cost for attackers.
Salting hash refers to adding random characters to the input of password before hashing it. When some common or identical passwords are used by the users, the hash outcome will be different, making it difficult for the passwords to be revealed immediately even when your databases are compromised accidentally.
It is crucial to keep an eye on the server log to observe any abnormal login attempt. This can help detect any brute force attack activities in early stage.
Permissions of an account should be granted with the least privilege principle. Upon a change of responsibility or termination of a user, the access rights should be adjusted or the accounts should be revoked. Orphan accounts and access rights misconfigured accounts are loopholes for a system and may lead to data exposure.
Regular review of the list of user accounts can help identify unmanaged accounts, especially the privileged ones, which are the vulnerabilities of your systems.
Human is the weakest link in security. That is why it is always crucial to keep the staff aware of the risk of brute force attack and the importance of having a strong password. Organisations may also consider stipulating security policy and provide proper guidance to the staff.
Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before download and use them.