A brute-force attack is a password cracking method cyber-criminals use to determine account credentials, particularly passwords. In a brute-force attack, the attacker will usually have a dictionary of common terms and passwords and use them to “guess” a user’s password. After exhausting a list of dictionary terms, the attacker then uses combinations of characters until a match is found. It could take thousands of guesses before a password is cracked, so attackers use automation tools to perform thousands of attempts rapidly.
How are Brute-Force Attacks Used?
Brute-force attacks can be launched against an application or on a hashed or encrypted password value. Web applications usually have cybersecurity rules in place that stop automated brute-forcing, so it’s much more common for an attacker to brute-force stolen passwords. If the attack is deployed against an application, an attacker will use automation software that will run a list of usernames and passwords against the application until a match is found. When a match is found, the attacker has access to the user’s account if no other protections are in place.
A more common brute-force attack is “guessing” a user’s password from the encrypted or hashed form. An encrypted password uses a private key to decrypt the password. An attacker with access to this key could decrypt the password, or they can use tools that will attempt to “guess” the key value. Stored passwords are usually hashed, which is one way and cannot be decrypted. Instead, the attacker uses a dictionary list of potential passwords, hashes them, and if the value matches the stolen hashed password value, the attacker has successfully brute-forced the password.
With cracked passwords, an attacker now has access to user accounts. Hackers aim for user credentials for a variety of reasons. They might want to steal money or gain access to a user's personally identifiable information (PII). An attacker might use an account to inject malicious code onto the system or send malicious files to other users on the system. If an attacker steals credentials for an administrator account, the attacker could hijack server traffic, inject ads into website content, steal additional data from internal network databases, or install malware on critical infrastructure. The damage from brute-force attacks depends on the authorization level of the stolen account and the type of application.
Some other actions an attacker can do after a successful brute-force attack:
- Send messages to employees or other users to trick them into clicking phishing links or opening attachments with malware included.
- Store malware on the system or on the internal infrastructure. If the malware runs on an administrator’s device, the attacker could steal higher-level credentials.
- Send customers messages in an attempt to ruin the application owner’s reputation.
- Hijacking server processes to inject malware such as traffic eavesdropping applications.
- Inject adware onto the application to make money with ads.
- Redirect user traffic to an attacker-controlled server.
Popular Attack Tools
Brute-force attacks are usually automated. A human can type a few passwords into an application per minute, but a computer can process hundreds or thousands (depending on connection speed) of password guesses a minute. Attackers use automation to deploy brute-force attacks. Sometimes, they use their own scripts created in their own favorite language, such as Python.
Examples of hacker tools used to brute-force passwords:
- John the Ripper
In addition to password cracking tools, attackers will also run vulnerability scanners on systems to identify outdated software and discover information about the target application. Administrators should always keep public-facing servers updated and patched and use monitoring software to identify scans on the system.
Types of Brute-Force Attacks
The general definition of brute-force attacks is “guessing” user credentials using every combination of characters until a match is found. However, hackers use a variety of brute-forcing strategies to get the best results. Corporations must know every brute-force type to develop strategies against them.
Types of brute-force attacks include:
- Simple brute-force attacks: An attacker will guess a user’s password by entering a combination of values using known information about the targeted user. This could be from information found online or from a social engineering attack.
- Dictionary attacks: Many brute-force attacks use a list of dictionary words, phrases, and common passwords downloaded from the internet.
- Hybrid brute-force attacks: A hybrid attack uses a combination of simple and dictionary methods. Attackers combine their knowledge about the targeted user with dictionary words and phrases. This method uses private information such as the user’s birthday, together with a dictionary word, which is common in user-generated passwords.
- Reverse brute-force attacks: Reverse brute-force password methods take a list of known passwords and automatically submit them to an application until a username is found. Attackers who use this method often download a list of stolen passwords from darknet markets and apply them to user accounts to find a credential match.
- Credential stuffing: Users often use the same passwords across several sites. An attacker who gains access to user passwords on one site will try the same ones on other sites. This is referred to as credential stuffing.
How to Prevent Brute-Force Attacks
Several strategies are available to administrators to help them prevent and detect brute-force attacks. The first step is to create better password rules so that users are unable to create weak passwords. For non-critical systems, passwords should be at least 10 characters with uppercase letters, special characters, and numbers. For critical systems, passwords should be at least 12 characters. With strong password encryption, it would take a computer decades to finally brute-force a password.
The following strategies can also be used to stop brute-force attacks:
- Use salts: A salt is an added value used in hashing passwords. Using a salt reduces the chance of a successful brute-force attack because the attacker would need to know the password and the salt value.
- Rate limit password attempts: The application can limit the number of password attempts before locking the account and display a CAPTCHA when too many attempts are made. This stops automated brute-force attacks and slows down attacks to where it isn’t feasible to run through hundreds of potential passwords.
- Lock accounts after too many login attempts: This will disrupt the attacker's continued brute-force attacks.
- Block suspicious IP addresses: If an IP address sends too many login attempts, the system could either block the IP automatically for a short while, or an administrator can manually add it to a blacklist.
- Two-factor authentication (MFA): Should an attacker successfully brute-force a password, two-factor authentication would stop successful authentication on the account.
Monitoring software will detect brute-force attacks and alert administrators of suspicious behavior. When brute-force attacks are detected, the application could be under an account takeover attempt. These attacks could be cause for additional reviews of the network to determine if a data breach has occurred.