A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. 5% of confirmed data breach incidents in 2017 stemmed from brute force attacks.
Brute force attacks are simple and reliable. Attackers let a computer do the work - trying different combinations of usernames and passwords, for example - until they find one that works. Catching and neutralizing a brute force attack in progress is the best counter: once attackers have access to the network, they're much harder to catch.
Get the Free Pen Testing Active Directory Environments EBook
Types of Brute Force Attacks
The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These attacks tend to be somewhat outdated, given newer and more effective techniques.
Recent computers manufactured within the last 10ish years can brute force crack an 8 character alphanumeric password - capitals and lowercase letters, numbers, and special characters - in about two hours. Computers are so fast that they can brute force decrypt a weak encryption hash in mere months. These kinds of brute force attacks are known as an exhaustive key search, where the computer tries every possible combination of every possible character to find the right combination.
Credential recycling is another type of brute force attack that reuses usernames and passwords from other data breaches to try to break into other systems.
The reverse brute-force attack uses a common password like "password," and subsequently tries to brute force a username to go with that password. Since "password" is one of the most common passwords in 2017, this technique is more successful than you might think.
Motives Behind Brute Force Attacks
Brute force attacks occur in the early stages of the cyber kill chain, typically during the reconnaissance and infiltration stages. Attackers need access or points of entry into their targets, and brute force techniques are a "set it and forget it" method of gaining that access. Once they have entry into the network, attackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.
Attackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but are not linked to other pages. A brute force attack tests different addresses to see if they return a valid webpage, and will seek out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration - like the vulnerability used to infiltrate Equifax, or a webpage that contains a list of username and passwords exposed to the world.
There is little finesse involved in a brute force attack, so attackers can automate several attacks to run in parallel to expand their options of finding a positive - for them - result.
How to Defend Against Brute Force Attacks
Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything usable. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible, but that is not the only defense.
- Increase password length: More characters equal more time to brute force crack
- Increase password complexity: More options for each character also increase the time to brute force crack
- Limit login attempts: Brute force attacks increment a counter of failed login attempts on most directory services - a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress
- Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
- Use multi-factor authentication: Multi-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success
The proactive way to stop brute force attacks starts with monitoring. Varonis monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We've got threat models that monitor lockout behaviors (often a sign that there's a brute force attack under way), threat models that detect potential credential stuffing, and more - all designed to detect and prevent brute force attacks before the attack escalates.
It's better to detect an attack in progress and actively stop the attack than it is to hope your passwords are un-crackable. Once you detect and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.
What is a Brute Force Attack?
A brute force attack, or exhaustive search, is a cryptographic hack that uses trial-and-error to guess possible combinations for passwords used for logins, encryption keys, or hidden web pages.
Frequently Asked Questions
What is a brute force attack example?
If you have a password that's only one character long, using numbers and letters (upper and lowercase), there would be 62 different possibilities for that character. A brute force attack would try every possible character in an instant to attempt to learn your one-character password. With normal passwords being around 8 characters, the possibilities are then multiplied into trillions of possibilities, which may take a bot only seconds to attempt.
How does a brute force attack work?
Essentially, a bot tries every combination of numbers and letters to learn your password. A reverse brute force attack guesses a popular password against a list of usernames.
What is the best protection against a brute force attack?
The best protection against a brute force attack is ensuring your passwords are as strong as possible, slowing the time it takes for a hacker to breach and increasing the likelihood they give up and move on.
What can attackers gain?
- Access to personal data
- Access to your system for malicious activity
- Ability to edit your website and ruin your reputation
- Ability to spread malware
- Profit from ads or activity data
How successful are brute force attacks?
According to Verizon's 2020 Data Breach Investigation Report: Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials.
Ready to get ahead of brute force attacks? Get a 1:1 demo to learn how Varonis detects attacks so you can stop attackers proactively.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.