What are brute-force attacks?

And how does a brute-force attack work?

A brute-force attack is a trial-and-error method used to obtain information such as passwords or other access codes. Here, the attacker tries a variety of possible combinations of characters with the help of a corresponding software to find the desired character sequence to gain illegal access to sensitive, partly encrypted data.

Why brute-force attacks are dangerous

Theoretically, every string can be identified by a brute-force attack depending on the strength of the preconnected security concept. This refers to certain access restrictions, which, for example, regulate the number of entries. In case of many incorrect logins, it is also possible to refuse further entries for a certain period of time.

Brute-force attacks without the outlined security mechanisms can be implemented much faster. Two factors that basically determine the success of such an attack are the temporal component and the attacking hardware, which is largely responsible for the speed of the attack.

This method of attack, which some experts have described as redundant is still used increasingly by criminals on the internet. This applies to attacks on FTP hosts, ports and clients with an active release function for the remote desktop. In this case, a real flood of attacks can be initiated in automated form. The attacker himself only defines the framework conditions in the form of parameters.

Do you already know the Hornet News?

Subscribe now for free and without obligation!

 
  • This field is for validation purposes and should be left unchanged.

The password length also determines the success of brute-force attacks

The weakness lies in the password length. Most users are simply negligent when choosing their password combination. This is especially true for setting passwords for remote access. Often and for whatever reason, shallow as well as simple combinations of characters are chosen here in the form of names, dates of birth or strings of keyboard shortcuts. Users who do so, put themselves at a high security risk. Short password combinations of a four- to six-digit character length are particularly affected.

Here’s an example: For simplicity, employee A selects a four-digit password for remote desktop access that consists only of lowercase letters. Attacker X is aware that the security arrangements are only marginal in employee A’s company. For this reason, the attacker decides to check all small letter combinations of four characters length to get the password of employee A.

The resulting variants amount to 456,976, which mathematically corresponds to 26^4. Powerful hardware allows attacker X to gain the password of employee A in just a few seconds by setting the correct parameters in his brute-force software. If successful, the attacker gains full control of the system.

This example illustrates the relevance of the password length which every user should consider. The decryption time of the attacking software increases with an increased password length. The same applies to the additional use of large and small letters as well as numbers and special characters. It therefore seems advisable to use password keys that have more than 32 characters. For example, lengths of 256 and 512 bits are common. Here, the level of difficulty on the attacker’s side is significantly higher than with a shorter-length string.

5 effective tips to protect against brute-force attacks

1. Limit wrong entries

Brute-force attacks can be effectively countered by restricting and slowing down the attacker in his actions. As already stated, attacks of this kind always follow the same pattern. However, it should be noted that many brute-force attacks could be contained by very simple precautionary measures.

This refers for example to a protection mode that blocks the user’s account if there are many incorrectly entered access codes. Here we recommend a coupling of the lock to a successive extension of the time interval. Above all, you are reacting to the steadily increasing performance of computer capacities, which are naturally also used by cyber criminals.

This enables cybercriminals to find out passwords in moderately protected systems within a few minutes or even seconds. The creation of a lock results in a significant delay in brute-force attacks. Blocking the attack attempts as a whole is not possible

However, this is not always a useful measure. Recklessly caused lockouts of user accounts can cause additional expenses in the administration of a corporate network. Here, it is important to find a middle ground and determine whether this approach seems appropriate in terms of protection for the company’s own infrastructure.

2. Using strong password combinations

In contrast, the option of creating strong access codes characterized by a certain complexity for the user accounts in advance seems simple. As a rule, the access code should not be a combination of words that appear in the dictionary, such as the Duden or the Cambridge Dictionary. This prevents the so-called dictionary attacks which are based on the successive processing of a word list in a brute-force attack.

3. Alternatives to traditional passwords

Another way to reduce brute-force attacks is to give up access codes in the form of passwords. Alternatively, you could think about the use of tokens or OTPs. Using so-called one-time passwords completely prevents replay attacks in which attackers fake their identity. In a broader sense, this means that each subordinate authentication requires the generation of an additional OTP.

4. Multi-way authentication

The token solution is a two-factor authentication, also known as 2FA. This security measure is commonly used for banking transactions. In addition to the conventional login, another security level is added to make a transfer.. This is possible with a SMS transfer code via smartphone or an mTAN generator. Another possibility is a Turing test, which provides information on whether it is a human or computer-controlled input. This form of protection is also known as captcha.

5. Abstraction of standard structures

If the security relatesto a login area of an attached CMS, it is important to not adopt directory structures specified by the manufacturer, but to individualize them. This ensures that attackers cannot immediately find directory paths for the admin area. It is also possible to only give pre-defined IP addresses access to the respective admin area. Furthermore, it’s also recommended to individualize user names outside of a CMS. Login names such as “User” or “Admin” should generally be avoided.

 

Read more about IT security in our blog

2019: The Year of Ransomware

2019: The Year of Ransomware

You cannot turn on the news without hearing about it, and you cannot show up to work without being warned about it. Ransomware has dominated the public conversation on cyber security, and hackers have spent the year exploiting companies for billions with the tactic. Email has become the number one attack vector, and ransomware has become any employees worst enemy.
Formjacking – The New Invisible Threat in Cyberspace

Formjacking – The New Invisible Threat in Cyberspace

Christmas is just around the corner and it is already certain that some people will lose their holiday spirit. When millions of people go online on a gift hunt, the trap snaps shut. We are talking about the new invisible threat on the Internet: Formjacking, also known as e-skimming. Hackers are stealing credit card and bank details from online shops with hijacked payment forms…
The hacker: made in Hollywood?

The hacker: made in Hollywood?

A hacker is smart, much smarter than the average. With just a few clicks and a few key combinations, he’s hacked into the IT systems of governments, public authorities and large corporations. He avoids the public and acts in secret – that’s how it’s portrayed in Hollywood movies. But the profile of computer geniuses is much more diverse than expected…

Additional information

Attacks based on brute-force basically have an unconventional and redundant attack pattern; however, they are still widely used by cybercriminals today. The trick behind a brute-force attack is to exploit the vulnerabilities in password management caused by the user or admin.

Those who follow the basic safety recommendations as a company have already created a first basis of protection against external attacks. In addition, however, it is strongly advised to supplementary integrate a professional tool for data security.