What is brute force attack?

How does a brute force attack work?

A brute-force attack is a trial-and-error method used to obtain information such as passwords or other access codes. Here, the attacker tries a variety of possible combinations of characters with the help of software to find the desired character sequence that will give them access to sensitive, partially encrypted data.

Why brute-force attacks are dangerous

Theoretically, every string can be identified by a brute-force attack depending on the strength of the associated security strategy. This refers to certain access restrictions, like for example, limiting the number of entries. Alternatively, in case of many incorrect login attempts, further entries could be refused for a certain period of time.

Brute-force attacks can be implemented much faster without such security mechanisms in place. The two factors that basically determine the success of such an attack are the time available and the capabilities of the attacker’s hardware, which is largely responsible for the speed of the attack.

This method of attack, which some experts have described as redundant, is used increasingly by internet criminals. It is used to attack FTP hosts, ports and clients with an active release function for the remote desktop. In this case, a flood of attacks can be initiated in automated form. The attacker only has to define the framework conditions by specifying parameters.



Do you already know the Hornet News?

Subscribe now for free and without obligation!

First name:
Last name:
Email:*
Hidden
newsletter_type
Hidden
mkt_optin
Hidden
website_lang
Data Privacy*
- I agree to the processing of my data in order to receive this newsletter of Hornetsecurity Inc. with regard to the stated contents. I can revoke this agreement at any time affecting the future, at the simplest by confirming the unsubscribe link at the end of each newsletter or by sending a message to privacy@hornetsecurity.com. I have taken note of the data protection regulations and the information about the processing of data included therein, in particular regarding my rights.
Name
This field is for validation purposes and should be left unchanged.

The password length also determines the success of brute-force attacks

The weakness lies in the password length. Most users are simply negligent when choosing their password combination. This is especially true for setting passwords for remote access. Often and for whatever reason, shallow as well as simple combinations of characters are chosen here in the form of names, dates of birth or strings of keyboard shortcuts. Users who do so, put themselves at a high security risk. Short password combinations of a four- to six-digit character length are particularly affected.

Here’s an example: For simplicity, employee A selects a four-digit password for remote desktop access that consists only of lowercase letters. Attacker X is aware that the security arrangements are only marginal in employee A’s company. For this reason, the attacker decides to check all small letter combinations of four characters length to get the password of employee A.

The resulting variants amount to 456,976, which mathematically corresponds to 26^4. Powerful hardware allows attacker X to gain the password of employee A in just a few seconds by setting the correct parameters in his brute-force software. If successful, the attacker gains full control of the system.

This example illustrates the relevance of the password length which every user should consider. The decryption time of the attacking software increases with an increased password length. The same applies to the additional use of large and small letters as well as numbers and special characters. It therefore seems advisable to use password keys that have more than 32 characters. For example, lengths of 256 and 512 bits are common. Here, the level of difficulty on the attacker’s side is significantly higher than with a shorter-length string.

5 effective tips to protect against brute-force attacks

1. Limit wrong entries

Brute-force attacks can be effectively countered by restricting and slowing down the attacker in his actions. As already stated, attacks of this kind always follow the same pattern. However, it should be noted that many brute-force attacks could be contained by very simple precautionary measures.

This refers for example to a protection mode that blocks the user’s account if there are many incorrectly entered access codes. Here we recommend a coupling of the lock to a successive extension of the time interval. Above all, you are reacting to the steadily increasing performance of computer capacities, which are naturally also used by cyber criminals.

This enables cybercriminals to find out passwords in moderately protected systems within a few minutes or even seconds. The creation of a lock results in a significant delay in brute-force attacks. Blocking the attack attempts as a whole is not possible

However, this is not always a useful measure. Recklessly caused lockouts of user accounts can cause additional expenses in the administration of a corporate network. Here, it is important to find a middle ground and determine whether this approach seems appropriate in terms of protection for the company’s own infrastructure.



2. Using strong password combinations

In contrast, the option of creating strong access codes characterized by a certain complexity for the user accounts in advance seems simple. As a rule, the access code should not be a combination of words that appear in the dictionary, such as the Duden or the Cambridge Dictionary. This prevents the so-called dictionary attacks which are based on the successive processing of a word list in a brute-force attack.



3. Alternatives to traditional passwords

Another way to reduce brute-force attacks is to give up access codes in the form of passwords. Alternatively, you could think about the use of tokens or OTPs. Using so-called one-time passwords completely prevents replay attacks in which attackers fake their identity. In a broader sense, this means that each subordinate authentication requires the generation of an additional OTP.



4. Multi-way authentication

The token solution is a two-factor authentication, also known as 2FA. This security measure is commonly used for banking transactions. In addition to the conventional login, another security level is added to make a transfer.. This is possible with a SMS transfer code via smartphone or an mTAN generator. Another possibility is a Turing test, which provides information on whether it is a human or computer-controlled input. This form of protection is also known as captcha.



5. Abstraction of standard structures

If the security relatesto a login area of an attached CMS, it is important to not adopt directory structures specified by the manufacturer, but to individualize them. This ensures that attackers cannot immediately find directory paths for the admin area. It is also possible to only give pre-defined IP addresses access to the respective admin area. Furthermore, it’s also recommended to individualize user names outside of a CMS. Login names such as “User” or “Admin” should generally be avoided.

How to Prevent Ransomware Attacks: An Easy-to-Follow Guide

January 05, 2024 | Security information

It's been the scourge of businesses globally for several years now, and shows no sign of abating - ransomware, which makes ransomware attack prevention crucial. Not a new threat, but growing in seriousness over the last few years, aided by the ease for the criminals...

The Vulnerability of AI to Cyber Attacks – AI’s Achilles’ Heel

December 29, 2023 | Security information

Artificial Intelligence (AI) attacks are not quite at the level of Skynet depicted in the 1984 film “The Terminator,” but this hasn’t stopped the speculations and real-world implications around AI technological advances. Although the science fiction within “The...

Tested Techniques for Preventing Cloud Attacks on Your System

December 15, 2023 | Security information

Whenever we see a technology rising in the market, it quickly becomes one of the targets for hackers. The same is happening with the cloud. According to Statista, as of 2023, 60% of corporate data is stored in a public cloud hosted by AWS, Microsoft, Google, and...

Additional information

Attacks based on brute-force basically have an unconventional and redundant attack pattern; however, they are still widely used by cybercriminals today. The trick behind a brute-force attack is to exploit the vulnerabilities in password management caused by the user or admin.

Those who follow the basic safety recommendations as a company have already created a first basis of protection against external attacks. In addition, however, it is strongly advised to supplementary integrate a professional tool for data security.

More Information

Visit Our Knowledge Base

Did you like our contribution from the knowledge database on the subject of Brute-Force-Attack ? Then you get to the overview page of our knowledge database here. There you will learn more about topics such as DDoS Attacks, Crypto mining, Cryptolocker virus, phishing, IT Security, GoBD, cyber kill chain, computer virus and ransomware.

Back To Knowledge Base