In the field of IT security, a brute force attack means cracking a password using trial and error. Although it can involve some level of calculation, it basically consists of trying thousands of possible variants to break password protection.
In the field of IT, there are several ways to gain unauthorized access to a system. Cyber criminals use vulnerabilities (exploits) to bypass a password barrier, steal the login data of legitimate users, or fuel the system with password lists (brute force method). These lists are calculated automatically or purchased and downloaded illegally.
For the first two variants, the knowledge and effort required are usually greater than for variant three. A brute force attack, as the name suggests, is a literal sledgehammer method. The access attempts are automated and can last from a few seconds to several days until the correct password is found. The length of the attack depends on computing power of the hacker and the strength of the password.
To avoid falling victim to brute force attacks, it is advisable to not use of frequently used passwords – a more complex password should always be used instead.
There are various approaches to the brute force method:
There are lists with hijacked access are circulating on the Internet, mostly in special forums on the Clearnet or the Darknet. Around half a million login details for devices belonging to the Belgian telecommunications company Telenet were published in a forum in spring 2020.
Such lists are sold or in some cases even published as free data dumps by hackers. If the attackers have an existing list of possible access data, they can simply query it at the password barrier using a script.
In the “ideal case” for cyber criminals, they don’t even have to go to the trouble of preparing a brute force attack. Manually entering default system passwords can sometimes be enough. These are assigned at the factory and should of course be changed by users.
However, some examples from the press prove that even large companies can miss this security gap – resulting in serious consequences. A class action lawsuit was filed against the US credit checker Equifax after hackers used a default admin password to get into the system and steal around 150 million customer records. This negligence in the area of IT security cost the company 700 million USD in addition to the loss of reputation.
With many IoT devices (e.g., routers) on the market, these standard passwords cannot be changed. As a result, they are regularly the target of botnet attacks.
If attackers start from scratch, they use the principle of exhaustive searches. Passwords are tried out with the help of an algorithm, which allows for the calculation of all possibilities within seconds. In addition to the most common passwords, dictionary attacks are also carried out. This means that all known character combinations found in the dictionary or similar are tried first.
If this method is unsuccessful, possible character strings (hash values) can be calculated. Hash values are passwords that have been converted into an encrypted character string using an algorithm (hash function). Systems store passwords in this form so that they cannot be retrieved as plain text.
Each time a user logs in, the password input is converted by the hash function and compared with the stored hash value. If the two values match, the login is successful. In a brute force attack, cyber criminals use precisely this method: they test predefined, frequent hash values that are available in so-called rainbow tables. This can reduce the time required to crack the password.
The traffic generated by bots on the Internet is constantly increasing. The malicious variant of these programs is also capable of carrying out brute force attacks. Expert knowledge is no longer required to control such bots. Special bad bots are also offered as a service.
One problem for a lot of Internet users is that many everyday tasks are carried out via a wide variety of online services – often across multiple devices, both professionally and privately. Whether online stores, insurance, payment services, newspaper subscriptions, emails or car rental, every registration requires a password. So how do you keep track of all your potential login details?
Many users have a simple standard password for precisely this reason, which may only be slightly modified for all logins. This method is particularly dangerous in e-commerce, as customers store payment data with providers in addition to their personal information.
The Hasso Plattner Institute (HPI) publishes the most popular passwords in Germany every year to make consumers aware of the risk of password misuse.
| Rank | Password |
| 1 | 123456 |
| 2 | 123456789 |
| 3 | 12345678 |
| 4 | 1234567 |
| 5 | password |
| 6 | 111111 |
| 7 | 1234567890 |
| 8 | 123123 |
| 9 | 000000 |
| 10 | abc123 |
| 11 | dragon |
| 12 | iloveyou |
| 13 | password1 |
| 14 | monkey |
| 15 | qwertz123 |
| 16 | target123 |
| 17 | tinkle |
| 18 | qwertz |
| 19 | 1q2w3e4r |
| 20 | 222222 |
Source: HPI
The passwords on this list can be cracked in a few seconds using a conventional computer and the right software. But even without the assistance of a machine, a determined criminal could guess these simple combinations just by trying them out manually.
As with many worst-case scenarios, there is a fundamental problem: the probability of a password being broken is rather low for the average consumer. However, if this happens, the personal damage can be enormous.
When it comes to security against password hackers, there is only so much that users can do. We should also look to the operators of online services. Whether email hosts, e-commerce or social media platforms – users should ensure and demand adequate protection.
It is not uncommon for online registration forms to specify exactly what the password must look like. Normally, these specifications are intended to force the user to choose a stronger password. Unfortunately, in some cases this idea backfires: if the number of characters is set to 8 or fewer, for example, the system ultimately forces the customer to choose a password with only a low or medium strength.
There are other ways that operators can help to make brute force attacks more difficult. For example, a defined event can occur as soon as a certain number of unsuccessful login attempts has been reached:
These barriers offer additional protection against cyber criminals. When used in combination with each other, they make a brute force attack uninteresting at best.
Nevertheless, they do not function as an invincible barrier in the fight against professional attackers. The rules that are defined (e.g., limiting login attempts to 5, then blocking) relate to the use of an individual IP address. If the IP address changes, new login attempts are possible. This rule is therefore not a major obstacle for hackers in control of a botnet.
Some systems offer required or voluntary multi-factor authentication. Instead of a password, another security barrier must be overcome, such as:
It is not uncommon for a second authentication to take place via another device, e.g., by sending a PIN to a stored cell phone number.
The risk calculation looks different for companies: They are popular, strategic targets for brute force attacks and must therefore protect themselves better. Two-factor authentication combined with strict authorization management can help to raise the barriers for password crackers.
Companies can also protect themselves against password hackers with protection solutions, such as zero trust setups. This approach to security means that no client (inside or outside the firewall) is trusted and access data is continuously queried.
Furthermore, intrusion detection systems help to increase security through warnings.
The simplest and at the same time most effective method to slow down a brute force attack is a security mechanism for password entry. If the required password is entered incorrectly too often, the user’s account is blocked.
But beware: such an implementation can also lead to serious users being locked out of their account if they unintentionally enter their password incorrectly several times. This leads to increased IT administration costs. A carefully chosen middle ground is the solution here.
This tip may sound obvious, but it is not necessarily so. It is generally helpful to assign passwords that have a certain level of complexity right from the start. This means no obvious number combinations and no normal word combinations, such as those found in the dictionary.
Instead, the recommendation is to use a long string of letters and numbers that make no sense and have no logic.
Two-factor authentication (= 2FA) is also a suitable protection mechanism. In addition to the classic login process, a second security barrier is implemented – in the best case, a second device is required for this.
Possible options for 2FA would be a second confirmation via SMS or a code generator.
Some companies rely on one-time passwords (OTP), so-called disposable passwords. Before each login, a new login code is generated that allows access. This access expires after login and cannot be used a second time.
These are extremely effective but do involve additional effort.
A global study by NTT Security identified the most common types of cyberattacks by industry. Brute force software was repeatedly on the winner’s podium of the biggest threats:
The study also found that 12% of malicious data traffic worldwide is attributable to brute force attacks. The most common targets of cybercriminals are emails, http forms (browsers), Windows applications and file transfer protocols such as SSH/SFTP or FTP. A study by ESET also showed that remote desktop protocols (RDP) were increasingly attacked during the global COVID-19 pandemic.
It is generally recommended to proactively prepare for cyber attacks and brute force attacks in general. If your own defenses are secure in the event of an attack, you will be spared a lot of trouble. If you have any questions about effective protective measures, our colleagues will be happy to help you.
