In a brute-force attack, cyber criminals use application programmes to decode passwords and encryption keys in an effort to gain unauthorised access to networks and systems. With these attacks, cyber criminals don’t use any strategic or intellectual methods. Instead, they use brute force to try and get in. The term itself denotes a wide variety of fairly simple password cracking methods that all rely on trial and error.

Cybersecurity Education and Training Begins Here

Start a Free Trial

Here’s how your free trial works:

  • Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
  • Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
  • Experience our technology in action!
  • Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks

Fill out this form to request a meeting with our cybersecurity experts.

Thank you for your submission.

How Are Brute-Force Attacks Used?

Brute-force attacks can be launched against an application or on a hashed or encrypted password value. Web applications usually have cybersecurity rules in place that stop automated brute-forcing, so it’s much more common for an attacker to brute-force stolen passwords. If the attack is deployed against an application, an attacker will use automation software that will run a list of usernames and passwords against the application until a match is found. When a match is found, the attacker has access to the user’s account if no other protections are in place.

With cracked passwords, an attacker now has access to user accounts. Cyber attackers aim for user credentials for a variety of reasons. They might want to steal money or gain access to a user's personally identifiable information (PII). An attacker might use an account to inject malicious code onto the system or send malicious files to other users on the system.

If an attacker steals credentials for an administrator account, the attacker could hijack server traffic, inject ads into website content, steal additional data from internal network databases, or install malware on critical infrastructure. The damage from brute-force attacks depends on the authorisation level of the stolen account and the type of application.

Some other actions an attacker can do after a successful brute-force attack:

  • Send messages to employees or other users to trick them into clicking phishing links or opening attachments with malware included.
  • Store malware on the system or on the internal infrastructure. If the malware runs on an administrator’s device, the attacker could steal higher-level credentials.
  • Send customers messages in an attempt to ruin the application owner’s reputation.
  • Hijacking server processes to inject malware such as traffic eavesdropping applications.
  • Inject adware onto the application to make money with ads.
  • Redirect user traffic to an attacker-controlled server.

Popular Attack Tools

A human can type a few passwords into an application per minute, but a computer can process hundreds or thousands of password guesses a minute (depending on connection speed). As a result, attackers use automation to deploy brute-force attacks. Sometimes, they use their own scripts created in their own favourite language, such as Python.

Examples of cyber attacker tools used to brute-force passwords:

  • Aircrack-ng
  • John the Ripper
  • L0phtCrack
  • Hashcat
  • DaveGrohl
  • Ncrack

In addition to password cracking tools, attackers will also run vulnerability scanners on systems to identify outdated software and discover information about the target application. Administrators should always keep public-facing servers updated and patched and use monitoring software to identify scans on the system.

Types of Brute-Force Attacks

Brute force attack is an umbrella term that covers a variety of password cracking methods which all rely on trial and error.

These are some brute-forcing techniques:

  • Simple brute-force attack. Bad actors use automated scripts to try out possible passwords until the correct one works. Simple brute-force attacks can be very time consuming because they take a systematic approach to trying all possible permutations of characters in a sequence. The longer the password, the longer it takes.
  • Dictionary attack. These attacks are less about quantity and more about quality. Instead of trying every possible combination of legal characters, bad actors start with the assumption that users are likely to follow certain patterns when they create a password. So they will home in on the most likely words rather than trying everything.
  • Hybrid attack. These attacks are a mix of dictionary and simple brute force attacks. In this case, a bad actor may get a user’s compromised password for one site. The user learns it has been compromised and changes it. The attacker will now try out variations of the old password using a brute force method that automates the additions of numbers, letters and more.
  • Reverse brute-force attack. Reverse brute-force password methods take a list of known passwords and automatically submit them to an application until a username is found. Attackers who use this method often download a list of stolen passwords from darknet markets and apply them to user accounts to find a credential match.
  • Credential stuffing. Users often use the same passwords across several sites. An attacker who gains access to user passwords on one site will try the same ones on other sites. Here’s how it works: Pairs of compromised usernames and passwords are added to a botnet that automates the process of trying stolen credentials on multiple sites at the same time. The purpose of these attacks is to identify account combinations that work and can be re-used across multiple sites.

How to Prevent Brute-Force Attacks

Several strategies are available to administrators to help them prevent and detect brute-force attacks. The first step is to create better password rules so that users are unable to create weak passwords. For non-critical systems, passwords should be at least 10 characters with uppercase letters, special characters, and numbers. For critical systems, passwords should be at least 12 characters. With strong password encryption, it would take a computer several decades to finally brute force a password.

The following strategies can also be used to stop brute-force attacks:

  • Rate limit password attempts. The application can limit the number of password attempts before locking the account and display a CAPTCHA when too many attempts are made. This stops automated brute-force attacks and slows down attacks to where it isn’t feasible to run through hundreds of potential passwords.
  • Lock accounts after too many login attempts. This will disrupt the attacker's continued brute-force attacks.
  • Block suspicious IP addresses. If an IP address sends too many login attempts, the system could either block the IP automatically for a short while, or an administrator can manually add it to a blacklist.
  • Use two-factor authentication. This is a type of multifactor authentication which requires users to enter two forms of identification in order to sign in. The process uses knowledge, location, possession and time factors to confirm a user’s identity.

Monitoring software will detect brute-force attacks and alert administrators of suspicious behaviour. When brute-force attacks are detected, the application could be under an account takeover attempt. These attacks could be cause for additional reviews of the network to determine if a data breach has occurred.

Ready to Give Proofpoint a Try?

Start with a free Proofpoint trial.