Brute force attack

  • Fabian Sinner
  • January 19, 2024

Table of content

    Brute force attack

    In the field of IT security, a brute force attack means cracking a password using trial and error. Although it can involve some level of calculation, it basically consists of trying thousands of possible variants to break password protection.

    What constitutes a brute force attack?

    In the field of IT, there are several ways to gain unauthorized access to a system. Cyber criminals use vulnerabilities (exploits) to bypass a password barrier, steal the login data of legitimate users, or fuel the system with password lists (brute force method). These lists are calculated automatically or purchased and downloaded illegally.

    For the first two variants, the knowledge and effort required are usually greater than for variant three. A brute force attack, as the name suggests, is a literal sledgehammer method. The access attempts are automated and can last from a few seconds to several days until the correct password is found. The length of the attack depends on computing power of the hacker and the strength of the password.

    To avoid falling victim to brute force attacks, it is advisable to not use of frequently used passwords – a more complex password should always be used instead.

    How does a brute force attack work?

    There are various approaches to the brute force method:

    Password lists available

    There are lists with hijacked access are circulating on the Internet, mostly in special forums on the Clearnet or the Darknet. Around half a million login details for devices belonging to the Belgian telecommunications company Telenet were published in a forum in spring 2020.

    Such lists are sold or in some cases even published as free data dumps by hackers. If the attackers have an existing list of possible access data, they can simply query it at the password barrier using a script.

    Default Passwords

    In the “ideal case” for cyber criminals, they don’t even have to go to the trouble of preparing a brute force attack. Manually entering default system passwords can sometimes be enough. These are assigned at the factory and should of course be changed by users.

    However, some examples from the press prove that even large companies can miss this security gap – resulting in serious consequences. A class action lawsuit was filed against the US credit checker Equifax after hackers used a default admin password to get into the system and steal around 150 million customer records. This negligence in the area of IT security cost the company 700 million USD in addition to the loss of reputation.

    With many IoT devices (e.g., routers) on the market, these standard passwords cannot be changed. As a result, they are regularly the target of botnet attacks.

    Trial and error

    If attackers start from scratch, they use the principle of exhaustive searches. Passwords are tried out with the help of an algorithm, which allows for the calculation of all possibilities within seconds. In addition to the most common passwords, dictionary attacks are also carried out. This means that all known character combinations found in the dictionary or similar are tried first.

    Hash function and rainbow tables

    If this method is unsuccessful, possible character strings (hash values) can be calculated. Hash values are passwords that have been converted into an encrypted character string using an algorithm (hash function). Systems store passwords in this form so that they cannot be retrieved as plain text.

    Each time a user logs in, the password input is converted by the hash function and compared with the stored hash value. If the two values match, the login is successful. In a brute force attack, cyber criminals use precisely this method: they test predefined, frequent hash values that are available in so-called rainbow tables. This can reduce the time required to crack the password.

    Brute force attack with the help of bad bots

    The traffic generated by bots on the Internet is constantly increasing. The malicious variant of these programs is also capable of carrying out brute force attacks. Expert knowledge is no longer required to control such bots. Special bad bots are also offered as a service.

    Weak passwords: an everyday problem

    One problem for a lot of Internet users is that many everyday tasks are carried out via a wide variety of online services – often across multiple devices, both professionally and privately. Whether online stores, insurance, payment services, newspaper subscriptions, emails or car rental, every registration requires a password. So how do you keep track of all your potential login details?

    Many users have a simple standard password for precisely this reason, which may only be slightly modified for all logins. This method is particularly dangerous in e-commerce, as customers store payment data with providers in addition to their personal information.

    The Hasso Plattner Institute (HPI) publishes the most popular passwords in Germany every year to make consumers aware of the risk of password misuse.

    Top 20 most popular passwords 2020

    Rank Password
    1123456
    2123456789
    312345678
    41234567
    5 password
    6111111
    71234567890
    8123123
    9000000
    10abc123
    11dragon
    12iloveyou
    13password1
    14monkey
    15qwertz123
    16target123
    17tinkle
    18qwertz
    191q2w3e4r
    20222222

    Source: HPI

    The passwords on this list can be cracked in a few seconds using a conventional computer and the right software. But even without the assistance of a machine, a determined criminal could guess these simple combinations just by trying them out manually.

    Improve password security

    As with many worst-case scenarios, there is a fundamental problem: the probability of a password being broken is rather low for the average consumer. However, if this happens, the personal damage can be enormous.

    Tips for improving password security

    • Uniqueness: Use each password only once
    • Length: Use at least 9 characters – the more randomly chosen, the better. Free password generators help with the creation
    • Randomness: Use characters from each class if possible (i.e., uppercase letters, lowercase letters, special characters, and numbers)
    • Neutrality: Avoid words or numbers with a personal reference (surnames, dates of birth, etc.)
    • Updates: 
    • Administration: Professional password managers store your passwords securely and log you in automatically

     Operator responsibility against a brute force attack

    When it comes to security against password hackers, there is only so much that users can do. We should also look to the operators of online services. Whether email hosts, e-commerce or social media platforms – users should ensure and demand adequate protection.

    Password formats

    It is not uncommon for online registration forms to specify exactly what the password must look like. Normally, these specifications are intended to force the user to choose a stronger password. Unfortunately, in some cases this idea backfires: if the number of characters is set to 8 or fewer, for example, the system ultimately forces the customer to choose a password with only a low or medium strength.

    Additional password protection

    There are other ways that operators can help to make brute force attacks more difficult. For example, a defined event can occur as soon as a certain number of unsuccessful login attempts has been reached:

    • Warning: User is notified by email after a set number of failed login attempts
    • Time Out:
      • User must wait until a new login attempt is possible
      • Variant: Time-out intervals become longer the more attempts fail
    • Disabling: Account is disabled after a certain number of failed login attempts or time-out intervals until the user releases the account again

    These barriers offer additional protection against cyber criminals. When used in combination with each other, they make a brute force attack uninteresting at best.

    Nevertheless, they do not function as an invincible barrier in the fight against professional attackers. The rules that are defined (e.g., limiting login attempts to 5, then blocking) relate to the use of an individual IP address. If the IP address changes, new login attempts are possible. This rule is therefore not a major obstacle for hackers in control of a botnet.

    Multi-factor identification

    Some systems offer required or voluntary multi-factor authentication. Instead of a password, another security barrier must be overcome, such as:

    • Personal Question
    • CAPTCHA
    • Picture Puzzle
    • Second password request
    • One-time passwords (OTP), which are transmitted via app, text message or transponder.

    It is not uncommon for a second authentication to take place via another device, e.g., by sending a PIN to a stored cell phone number.

    Brute force attacks on companies

    The risk calculation looks different for companies: They are popular, strategic targets for brute force attacks and must therefore protect themselves better. Two-factor authentication combined with strict authorization management can help to raise the barriers for password crackers.

    Companies can also protect themselves against password hackers with protection solutions, such as zero trust setups. This approach to security means that no client (inside or outside the firewall) is trusted and access data is continuously queried.

    Furthermore, intrusion detection systems help to increase security through warnings.

    How can companies protect themselves?

    • Limit incorrect entries

    The simplest and at the same time most effective method to slow down a brute force attack is a security mechanism for password entry. If the required password is entered incorrectly too often, the user’s account is blocked.

    But beware: such an implementation can also lead to serious users being locked out of their account if they unintentionally enter their password incorrectly several times. This leads to increased IT administration costs. A carefully chosen middle ground is the solution here.

    • Strong passwords right from the start

    This tip may sound obvious, but it is not necessarily so. It is generally helpful to assign passwords that have a certain level of complexity right from the start. This means no obvious number combinations and no normal word combinations, such as those found in the dictionary.

    Instead, the recommendation is to use a long string of letters and numbers that make no sense and have no logic.

    • Two-factor authentication

    Two-factor authentication (= 2FA) is also a suitable protection mechanism. In addition to the classic login process, a second security barrier is implemented – in the best case, a second device is required for this.

    Possible options for 2FA would be a second confirmation via SMS or a code generator.

    • One-Time-Passwords

    Some companies rely on one-time passwords (OTP), so-called disposable passwords. Before each login, a new login code is generated that allows access. This access expires after login and cannot be used a second time.

    These are extremely effective but do involve additional effort.

    Brute force attack: facts and figures

    A global study by NTT Security identified the most common types of cyberattacks by industry. Brute force software was repeatedly on the winner’s podium of the biggest threats:

    • Technology: 2nd place (17%)
    • Services: 1st place (42%)
    • Education: 1st place (47%)

    The study also found that 12% of malicious data traffic worldwide is attributable to brute force attacks. The most common targets of cybercriminals are emails, http forms (browsers), Windows applications and file transfer protocols such as SSH/SFTP or FTP. A study by ESET also showed that remote desktop protocols (RDP) were increasingly attacked during the global COVID-19 pandemic.

    Effective protection is a must

    It is generally recommended to proactively prepare for cyber attacks and brute force attacks in general. If your own defenses are secure in the event of an attack, you will be spared a lot of trouble. If you have any questions about effective protective measures, our colleagues will be happy to help you.

    Contact us now >>

    Analyzing the Anonymous DDoS ‘Ping Attack’ Tool
    Infographic: Unlimited Growth
    X