October 21, 2022

What is brute force attack and How to prevent it?

The cost of a data breach is complicated to quantify, but as more and more organizations fall victim to attacks, the potential financial impact becomes more apparent. IBM's latest data breach cost report found that the average cost of a data breach worldwide will reach an all-time high of $.35 million in 2022.

What is brute force attack?

A very common threat in this web era is brute force attack. A brute force attack in cyber security is an attempt to find a password by systematically trying all possible combinations of letters, numbers and symbols until you find the right working combination. Passwords aren't the only resource that can be brute-forced: links and directories, usernames and emails are other common targets too.

Types of brute force attack:

Most commonly there are 5 types of brute force attack

  • Simple/Traditional Attacks:
  • In this kind of brute force attack, attackers try multiple passwords to target a specific set of identities. Here, hackers try to guess manually or use trial and error method, with regards to the user's login credentials without using any software and hence, this method is time and resource intensive. Hackers try to generate all possible characters, numbers and special characters. This method is only effective for short powers, but terrible for slightly longer ones.

  • Reverse Brute Force Attacks:
  • Password spraying is a form of reverse brute force attack where the attacker brute force logs into the application based on a list of usernames with default passwords. This attack is normally used in areas where the admin sets a default password for the new users. Normally, attackers try to guess the passwords. However, unlike a brute-force attack, which focuses on a single account, in this case, password injection attacks target multiple accounts at a time. Here the attackers gain access to a large number of accounts (usernames) with a few common passwords.

  • Dictionary Attacks:
  • From the name itself, it is obvious - it basically uses a large number of predefined popular phrases or terms normally found in a dictionary. In general, a good password list can improve the success rate of attackers, but here they often require multiple attempts against potential targets. The drawback of this kind of attack is that it is time-consuming and has a low probability compared to newer powerful attack methods.

  • Hybrid Brute Force Attacks:
  • In this kind of attack, hackers combine a dictionary attack method with a simple brute force attack. Hackers normally would know the username, so they perform a dictionary attack and simple brute force methods to find the account login combination. This procedure involves choosing common words from a dictionary and replacing them with random numbers or characters. This combined approach is more effective.

  • Credential Stuffing Attacks:
  • A credential “stuffing” attack involves stuffing passwords that have been hijacked or otherwise exposed by cybercriminals used in login fields of multiple websites. This attack is successful when users use the same username and password combination or reuse passwords for different social media accounts and profiles. Stolen credentials are sold and traded between cybercriminals on the dark web.

    How to investigate brute force attack:

    An attacker can always find the password through a brute-force attack. Depending on the length and complexity of the password, there can be trillions of possible combinations and hence it might take years to crack the target passwords.

  • Numerous failed login attempts were tried from the same IP address.
  • Login attempts using different usernames.
  • Login attempts using different usernames
  • Unusual pattern of failed login attempts
  • Unusual bandwidth
  • How to prevent brute force attack:

    The success of a brute force attack is calculated in regard to the time taken to successfully crack a password. As the length of the password increases, the time required to crack also increases exponentially. It is estimated, 15 million key companies would need 9 minutes per second to crack a seven-digit password. A 13-digit password would last over 350,000 years.

  • It is always recommended not to use standard passwords, but it is better to use your own created passwords. The best thing is to create unique passwords that contain at least 15 numbers and several keywords. Long passwords consisting of random words/characters are more secure and easier for password cracking.
  • Lots of websites allow an infinite number of login attempts. It is recommended that the site administrator installs a plugin that limits the number of attempts to connect to the domain, by further preventing brute force attacks. Even a root user can allow brute force attacks on solid shell (SSH) connections, hence it is better to prevent users from accessing SSH by enabling “DenyUsers root” and “PermitRootLogin no”.
  • It is recommended to have two-factor or multi-factor authentication, where the user must verify his authenticity before granting access to the system. If 2FA is activated, the user will be asked to enter a unique code assigned to a mobile phone number to verify its authenticity, before getting access to the network.
  • The benefit of using CAPTCHA is that it protects against account takeovers, illegal purchases and other similar scenarios. CAPTCHAs prefer 100% security response.
  • A web application firewall (WAF) limits the number of requests a resource can make to a URL space in a given time period. In addition to brute-force attacks to steal session tokens, WAF also protects against denial-of-service (DOS) attacks that consume server resources and block vulnerability scanning tools that check the computer network for errors.
  • Try for free