What is brute force attack?

How does a brute force attack work?

IT Knowlege Base

Home » Knowledge Base » Brute force attacks

A brute-force attack is a trial-and-error method used to obtain information such as passwords or other access codes. Here, the attacker tries a variety of possible combinations of characters with the help of software to find the desired character sequence that will give them access to sensitive, partially encrypted data.

Why brute-force attacks are dangerous

Theoretically, every string can be identified by a brute-force attack depending on the strength of the associated security strategy. This refers to certain access restrictions, like for example, limiting the number of entries. Alternatively, in case of many incorrect login attempts, further entries could be refused for a certain period of time.

Brute-force attacks can be implemented much faster without such security mechanisms in place. The two factors that basically determine the success of such an attack are the time available and the capabilities of the attacker’s hardware, which is largely responsible for the speed of the attack.

This method of attack, which some experts have described as redundant, is used increasingly by internet criminals. It is used to attack FTP hosts, ports and clients with an active release function for the remote desktop. In this case, a flood of attacks can be initiated in automated form. The attacker only has to define the framework conditions by specifying parameters.

The password length also determines the success of brute-force attacks

The weakness lies in the password length. Most users are simply negligent when choosing their password combination. This is especially true for setting passwords for remote access. Often and for whatever reason, shallow as well as simple combinations of characters are chosen here in the form of names, dates of birth or strings of keyboard shortcuts. Users who do so, put themselves at a high security risk. Short password combinations of a four- to six-digit character length are particularly affected.

Here’s an example: For simplicity, employee A selects a four-digit password for remote desktop access that consists only of lowercase letters. Attacker X is aware that the security arrangements are only marginal in employee A’s company. For this reason, the attacker decides to check all small letter combinations of four characters length to get the password of employee A.

The resulting variants amount to 456,976, which mathematically corresponds to 26^4. Powerful hardware allows attacker X to gain the password of employee A in just a few seconds by setting the correct parameters in his brute-force software. If successful, the attacker gains full control of the system.

This example illustrates the relevance of the password length which every user should consider. The decryption time of the attacking software increases with an increased password length. The same applies to the additional use of large and small letters as well as numbers and special characters. It therefore seems advisable to use password keys that have more than 32 characters. For example, lengths of 256 and 512 bits are common. Here, the level of difficulty on the attacker’s side is significantly higher than with a shorter-length string.

5 effective tips to protect against brute-force attacks

1. Limit wrong entries

Brute-force attacks can be effectively countered by restricting and slowing down the attacker in his actions. As already stated, attacks of this kind always follow the same pattern. However, it should be noted that many brute-force attacks could be contained by very simple precautionary measures.

This refers for example to a protection mode that blocks the user’s account if there are many incorrectly entered access codes. Here we recommend a coupling of the lock to a successive extension of the time interval. Above all, you are reacting to the steadily increasing performance of computer capacities, which are naturally also used by cyber criminals.

This enables cybercriminals to find out passwords in moderately protected systems within a few minutes or even seconds. The creation of a lock results in a significant delay in brute-force attacks. Blocking the attack attempts as a whole is not possible

However, this is not always a useful measure. Recklessly caused lockouts of user accounts can cause additional expenses in the administration of a corporate network. Here, it is important to find a middle ground and determine whether this approach seems appropriate in terms of protection for the company’s own infrastructure.

2. Using strong password combinations

In contrast, the option of creating strong access codes characterized by a certain complexity for the user accounts in advance seems simple. As a rule, the access code should not be a combination of words that appear in the dictionary, such as the Duden or the Cambridge Dictionary. This prevents the so-called dictionary attacks which are based on the successive processing of a word list in a brute-force attack.

3. Alternatives to traditional passwords

Another way to reduce brute-force attacks is to give up access codes in the form of passwords. Alternatively, you could think about the use of tokens or OTPs. Using so-called one-time passwords completely prevents replay attacks in which attackers fake their identity. In a broader sense, this means that each subordinate authentication requires the generation of an additional OTP.

4. Multi-way authentication

The token solution is a two-factor authentication, also known as 2FA. This security measure is commonly used for banking transactions. In addition to the conventional login, another security level is added to make a transfer.. This is possible with a SMS transfer code via smartphone or an mTAN generator. Another possibility is a Turing test, which provides information on whether it is a human or computer-controlled input. This form of protection is also known as captcha.

5. Abstraction of standard structures

If the security relatesto a login area of an attached CMS, it is important to not adopt directory structures specified by the manufacturer, but to individualize them. This ensures that attackers cannot immediately find directory paths for the admin area. It is also possible to only give pre-defined IP addresses access to the respective admin area. Furthermore, it’s also recommended to individualize user names outside of a CMS. Login names such as “User” or “Admin” should generally be avoided.

Read more about IT security in our blog

Monthly Threat Report : August 2024
Threat Reports

Monthly Threat Report August 2024: A Month of Global Impact

Widespread cyberattacks dominated July 2024, highlighted by the severe CrowdStrike incident that caused significant disruptions across multiple businesses. New vulnerabilities in VMware ESXi and increased DDoS attacks from Anonymous Sudan further compounded the threat landscape.

Read more

Threat Reports

Monthly Threat Report July 2024: Snowflake(s) in July

This month’s email attacks: more spam, less targeted. Cloud storage provider Snowflake’s customers were breached. Change Healthcare revealed leaked data from their ransomware attack. Big news: Kaspersky banned in the US! Finally, good news – the FBI has Lockbit decryption keys (see Lockbit section if affected).

Read more

Additional information

Attacks based on brute-force basically have an unconventional and redundant attack pattern; however, they are still widely used by cybercriminals today. The trick behind a brute-force attack is to exploit the vulnerabilities in password management caused by the user or admin.

Those who follow the basic safety recommendations as a company have already created a first basis of protection against external attacks. In addition, however, it is strongly advised to supplementary integrate a professional tool for data security.