Brute force is a common practice of a hacker attack, the main purpose of which is to break passwords – especially weak or repetitive ones. Learn how to spot a brute force attack and how to counteract it.
Brute force – what is it?
The percentage of crimes committed in cyberspace is growing every year, and their detectability is still not at a sufficiently satisfactory level. One of the methods of attack is brutus force. This weapon in the hacker’s arsenal is one of the oldest , but still common . How does it work exactly?
Brute force is a method of breaking passwords and cryptographic keys by repeatedly entering various combinations of characters – until a specific password is revealed. This method works best for short and simple passwords.
Brute force is mainly used to steal sensitive data – both from private users and large companies or organizations. Sometimes malicious attacks also seriously damage the website’s reputation . Brute force is considered a rather arduous hacking practice, but the threat should not be underestimated under any circumstances .
Brutal force can work wonders
Types of brute force attacks
The time it takes to crack a password varies depending on the level of cipher complexity as well as the type of specific brute force method . Becoming familiar with the types of attacks will help you recognize them and thus prevent data leakage.
Simple brute force
As the name suggests, the basic brute force attack involves tediously typing consecutive combinations of symbols . In this case, the hacker does not use any cracking software , but tries to guess the password by himself by manually entering various strings. With this method, a hacker can resort to a little research on, for example, favorite music bands or the names of the closest people of a specific user (assuming that he already knows his login).
Simple brute force can be effective as many users still use passwords like “password123” . A classic example of the effectiveness of this seemingly pathological method is the case of the pre-release leak of the source code for Half-Life 2 in 2004. Gabe Newell , director of Valve’s title studio, set the word “gaben” as the password to his e-mail inbox . This “secret” was discovered by a young hacker from Germany who managed to log into Newell’s account without using any special tools and then steal the game’s source files from there.
Dictionary attack
A dictionary attack is similar to a simple brute force attack, but it is not based on the analysis of individual symbols – instead , it focuses on words that appear frequently in everyday speech . The name of the method is supposed to be associated with a hacker who, using a dictionary, breaks the targeted passwords.
In practice, the method is based on the use of dictionaries of popular phrases or expressions . A special brute force algorithm uses a specific variable (e.g. a previously known login from a database of basic logins or data disclosed after a large leak) to create password ideas for specific users. For the sake of safety , it is therefore not recommended to use, for example, dates of birth or common words or phrases .
Hybrid attack
The hybrid attack is a combination of the two brute force methods described above . It is used as soon as a hacker knows the username and starts making various combinations of words and characters (eg “Warsaw2020”).
Reverse brute force attack
This method involves using a common password like “password1234 ” and searching the database for a login that could match it. Reverse brute force is mainly used for data leaks or for the disclosure of specific passwords due to a network breach.
Clogging with credentials
Credential stuffing works well when users use the same passwords for accounts on multiple websites . Hackers collect previously obtained matching logins and passwords, and then, by trial and error, enter them on other portals.
Examples of software used for brute force methods
Brute-force attacks themselves are considered to be very time-consuming , so hackers have created special programs to improve the password cracking process. One of them is a networking utility called Aircrack-ng , available for Linux and Windows. The program intercepts information from nearby Wi-Fi networks and can break popular security measures (WEP, WPA / WPA2-PSK).
A simple login and password is asking for trouble
One of the most popular hacking tools is John The Ripper (“Jan Ripper”). Probably everyone who is interested in cybersecurity knows this password cracker. It originally ran on a UNIX operating system , and now the developers of the OpenWall project have extended it to 15 other platforms. The tool is completely free and is open source .
Brute force algorithms, on which the password cracking software is based, can significantly shorten the time needed to catch weak passwords . An operation that would take several years in “manual mode” can be performed by the software in a few days .
However , brute force programs need large hardware resources to work properly . Hackers-developers also found an answer to this problem by combining the power of two tools: the central processing unit (CPU) and the device graphics processing unit (GPU) . This makes it possible to significantly accelerate (even by 250%) breaking passwords.
Ways to defend against brute force
The most effective way to defend against brute force attacks is to use strong, varied passwords . They should be of appropriate length (minimum 8-10 characters – the longer the better), contain uppercase and lowercase letters as well as numbers and special characters . Such a password will definitely extend the time needed to crack it.
Also, try to avoid hackneyed and repetitive phrases such as your dog’s name, the name of a popular author, or the name of a sports club; the biggest flaw is the use of the word “password” as a password . Instead, use complex expressions that are rarely used in everyday speech . In addition to the password itself, it is also important to diversify the login . Don’t use words like “admin” when doing this , as it helps hackers get into your account.
Nowadays, probably every user has accounts on many portals , so remembering various logins can be troublesome . However, this is no excuse when it comes to protecting sensitive data. Therefore, do not use identical passwords on each account : be it in e-mail, social networks or in online stores. However, you can use a password manager whose security will be an additional obstacle for hackers.
Organizations and companies should also take care to protect their employees’ passwords . Even if the subordinates use the above methods, they will be useless if, for example, a hacker will be able to try different passwords endlessly . Therefore, it is worth limiting this number and applying an appropriate block , which will prevent undesirable actions. As an employer or website owner, you should also educate your colleagues about the basics of cybersecurity .
It is equally important to monitor network traffic : multiple login attempts, additionally diversified with an unusual location, should arouse suspicions and alert website users. If you want better protection, you can use two-factor authentication on your website , which consists in confirming logging in with codes sent via e-mail or SMS.
You already know what brute force is and what methods hackers use to steal personal data. Thanks to the use of additional algorithms in specialized brute force programs, it is able to crack passwords even more effectively . Therefore, remember that nothing is 100% safe on the Internet , so take care of the best possible protection of your data by using complex and diverse passwords.