Introduction
Discovering that your online accounts have been hacked can be a devastating experience. Not only can it ruin your day or even week, but the potential damage caused by a password breach can be severe.
For example, if your Facebook account is compromised, the attacker may be able to extend the attack to your friends and family, potentially infecting their devices with malware.
A breach of your bank or cryptocurrency account, on the other hand, could result in stolen money or identity theft.
But how do hackers do it? What techniques are commonly used to break into someone’s account? What responsibilities do website and mobile app developers have to prevent such attacks, and what can users and companies do to protect themselves?
Hackers employ various techniques to gain access to someone’s online account. Some of these techniques are the following:
- phishing scams,
- brute force attacks, and
- malware infections.
In this article, we are going to expand on the topic of brute force attacks. Password Hero’s mission is to help educate and protect you against brute force attacks that could lead to negative consequences, by providing you with knowledge and convenient tools.
Once you understand brute force password attacks you will be amazed at how simple and straightforward it is to have top-notch password security and with the right strategy, you will never be the victim of a password brute force attack.
Then, you too can become a Password Hero by spreading the word to your friends and family! So, without further delay, let’s expand our knowledge and learn more about brute force password attacks!
What Is A Brute Force Attack?
A brute force attack (also known as “cracking”, “password spraying”, or simply “bruting”) is a hacking technique that repeatedly tries to guess the correct credentials to access a resource such as an online account or network service.
In a brute force attack, the attacker uses a software program to submit usernames and passwords or other credentials such as certificates or encryption keys in a machine-gun-like fashion. The attacker hopes to try as many times as needed to successfully guess and compromise the account. Once the attacker has access they can do all sorts of malicious things to the victim.
brute force attacks generally fall into two main categories: “online” and “offline” brute force attacks.
In online attacks, the attacker tries to gain access to an internet or local area network (LAN) resource remotely. The hacker is limited by the system resources (network bandwidth, CPU, and RAM) of the target and will also have to outsmart any defensive tactics such as rate-limiting, firewalls, intrusion detection and prevention (IDS/IPS), or web-application firewalls (WAF), used by the target system.
On the other hand, offline attacks are done on the attackers’ own local computer. Because the system is 100% controlled by the attacker, there is no limit to the target’s system resources except how much money the attacker can spend on computing power. Offline attacks depend on having stolen data such as password hashes or encrypted files to crack.
Theoretically, for both online and offline attacks, if given enough time an attacker will eventually guess the right combination.
However, hackers have developed methods to increase the efficiency of brute-forcing to speed up the time required to crack the target and also to try to bypass any defensive measures put in place by the target’s designers and developers.
What is Password Hashing?
Password hashing is a strategy used by cyber defenders to protect user passwords that are stored in databases. In general, hashing uses a mathematical algorithm or equation to encode the user’s plaintext password as a string of characters and numbers.
There are many different hashing algorithms have been developed such as MD5, SHA-1, SHA-2, and SHA-3. Hashing algorithms output always creates the same output and always creates a different output for different inputs.
The MD5 hash of the string "mypassword":cb4e0bdaf038454fd1f3be246a7de2c5 |
After the user sets their password the first time, it is converted to a hash that is stored in the database instead of the actual password. Then, every time the user logs in, their submitted password is again hashed and compared with the stored hash to see if they match. If they match, the user is authenticated and able to log in to the application.
This strategy of storing hashes instead of the plain text password protects the user’s password because if the hashes are stolen, they cannot be reversed to find the original password and cannot be entered directly to gain access to the account.
What Are The Different Types of Brute Force Attacks?
There are several different types of brute force attacks because attackers have developed many different strategies for efficiently guessing the right credentials.
Let’s review the most common types of brute force attacks to understand how they work and when the attacker might want to use them.
Enumeration Brute Force Attack
Enumeration is the most basic traditional form of brute force attack. An enumeration brute force attack will try all numbers and/or letters sequentially within a defined range. The most common inputs are numbers, letters, and special characters.
Simple enumeration is especially useful when trying to crack a password that is known to be limited to only numbers.
For example, we know that a WiFi WPS password is always an eight-digit PIN. Therefore an enumeration attack would start with 00000000 and then increment one at a time until the password has been successfully cracked.
In the case of brute force cracking a WPS PIN, the enumeration method can be compared to a random brute force attack that randomly generates and tries numbers between 00000000 and 99999999.
Random Brute Force Attack
In a random brute force attack, the attacker randomly generates potential password combinations and then tries each of these combinations online to see if it is the correct password for the user’s account.
This type of attack is different from a traditional enumeration brute force attack because instead of incrementing one at a time, a random brute force attack relies on the hope that random combinations will be able to guess the correct password faster.
However, because it is computationally expensive to generate and try a large number of random password combinations, this type of attack is typically not practical unless the attacker has access to a large amount of computing power.
Dictionary Attack
In a dictionary brute force attack, the attacker uses a program to try to guess the user’s password to try every word in a list of words, known as a “dictionary” or “wordlist”.
Wordlists used as input for dictionary attacks can be created by the attacker themselves from scratch by using lists of names, cities, sports teams, and dictionary words, or downloaded from online sources such as Github. The attacker can also use various techniques to modify these wordlist file inputs to generate various combinations.
For example, the attacker may try adding numbers or special characters to the end of each word or may try using different variations of the word (such as capitalizing the first letter or using different spellings). This type of attack can be effective because many people use words that can be found in a dictionary as their passwords
Hybrid Brute Force Attacks
A hybrid brute force attack is a type of password-cracking technique that combines elements of a dictionary attack with elements of a traditional brute force attack (enumeration and random attacks).
In a hybrid attack, the attacker first uses a program to try to guess the user’s password by systematically trying every word in a pre-defined list of words, as in a dictionary attack.
If this does not yield any results, the attacker will then switch to a traditional brute force attack, in which the program attempts to guess the password by trying every possible combination of characters.
This type of attack can be more effective than either a dictionary attack or a traditional brute force attack alone, as it allows the attacker to quickly try a large number of commonly used words before moving on to a more thorough search of the entire space of possible password combinations.
Reverse Brute Force Attacks
Instead of trying multiple passwords against a single user, a reverse brute force attack uses a single common password against multiple account usernames or email addresses. The end goal is identical to other types of brute force attacks – to gain access to a user account or network resource.
However, reverse brute force attacks cannot be used to target a particularly high-value account. Instead, reverse brute force attacks use some intelligence by knowing that many people commonly use the most popular passwords such as “password123”, “p@$$word”, or others.
The reverse brute force approach uses an input list of usernames or email addresses to test with the known common passwords.
Credential Stuffing Brute Force Attacks
Credential stuffing is another type of brute force attack that specifically uses stolen usernames and passwords to try and breach an account. Credential stuffing is based on the assumption that many users reuse usernames and passwords across multiple websites or network services.
Users obviously cannot remember a unique ransom password for all their accounts and credential stuffing takes advantage of this fact. Credential stuffing attacks are likely to have a higher success rate than plain brute-forcing because the attacker starts with some known information about the target accounts.
Also, a highly skilled attacker may combine credential stuffing with a hybrid brute force technique to generate modified combinations of the stolen password to successfully guess the user’s password that is similar but may only change something like the number at the end of a word.
Rainbow Table Attacks
A rainbow table attack is a password-cracking method that uses a special table (known as a “rainbow table”) to crack the password hashes that have been stolen from a database.
As mentioned earlier, a well-designed application should not store passwords in plaintext. But if a database of hashes can be stolen by an attacker, they can try to guess the password that was used to generate any of the hashes.
This type of attack must be conducted offline, but if the attacker can guess the password used to create the hash, they can use that knowledge to identify the plain text passwords from hashes in other stolen password hash databases.
The use of rainbow table attacks has dramatically decreased due to a technique known as “salting.” Salting is a modern technique used to make rainbow table attacks much more difficult. It involves adding an extra random value to every hashed password before hashing to create a different hash value.
This means that an attacker cannot use the cracked hash against other stolen password hash databases because they are always unique.
How Attackers Can Use Reconnaissance For Brute Force Attacks
In a targeted attack, the victim’s password may be vulnerable if it is related to personal information that can be discovered through open-source intelligence (OSINT) techniques.
For example, attackers may be able to use the victim’s birthday, hometown, family name, favorite sports team, or other personal details to generate wordlists for use in dictionary or hybrid brute force attacks.
To protect against these types of attacks, it’s important for users to avoid using personal information as part of their passwords and to choose strong, unique passwords that are difficult for attackers to guess.
Reconnaissance can also be used in brute force attacks by scanning the dark web for publicly released data stolen by hackers. This information, which may include user account details and passwords, can be used to check if the victim reuses passwords across multiple sites, or to generate algorithms for brute-forcing attacks. By gaining access to this type of information, attackers can greatly increase their chances of success in a brute-force attack.
Hackers can also improve their chances of success in password cracking by sharing information with each other.
For example, it is well known among cyber security experts that the most common password for securing a home wireless network is the WiFi router owner’s phone number. Through sharing this type of knowledge, hackers can learn from the successes and failures of others and apply this knowledge to their own password-cracking attempts.
In this way, reconnaissance can also include gathering information about the techniques and strategies that have been used by other hackers to crack various types of passwords.
How Can I Protect Against A Brute Force Attack?
The methods for protecting against a brute force attack vary depending on your role in the process. Website and mobile app developers, for example, have the responsibility to design and implement secure systems that are resistant to brute force attacks.
Users, on the other hand, have the responsibility to choose strong, unique passwords and to avoid reusing passwords across multiple sites.
Protecting Your Website
As a website owner, it is important to protect your customer’s accounts from brute force attacks. But it’s not only customers that are at risk here. Most websites also have administrative logins for the website managers to log in and add content or modify the site.
Here are some general tips for preventing brute force attacks that websites should use when designing and building their website:
- Set minimum password complexity and length requirements. That way users are forced to create strong passwords that use a combination of letters, numbers, and special characters
- Offer multi-factor authentication (MFA) options. MFA is a strong defense against all forms of password brute-forcing and credential stuffing attacks because the user must have their mobile device with them to log in.
- Salt and hash all stored passwords. This ensures that if attackers steal the user passwords, the information cannot be easily used against the users. This technique has significantly reduced the number of successful rainbow table attacks.
- Provide only ambiguous error messages. This gives attackers less information when they are brute-forcing such as being able to identify if a particular email address has an account on the site.
- Configure a rate-limiting system. This prevents brute-forcing by making the user wait for some time if they get their password wrong several times. If the user is using a password manager, they are unlikely to get their password wrong, so this will work to effectively slow down attackers.
Protecting Your Online Accounts
Brute force attacks are relatively easy to defend against by using strong, unique passwords that are not based on common words or phrases.
PasswordHero is here to provide you with the tools to easily generate 100% unique ransom passwords that are impossible to brute force. Users should also use a password manager to conveniently store their login credentials and unique passwords for each account they use. This strategy takes virtually all the work out of being secure!
Summary
Wow, that was a lot of information to take in! But, now that we understand how brute force attacks happen, the different types of brute force attacks, and the common pitfalls that can allow a user account to be brute forced, we are better prepared to protect ourselves and our websites from them.
Let’s quickly review the key takeaways of password brute-forcing:
- Don’t reuse passwords across multiple sites – ever!
- Use a password generator such as Password Hero to generate a strong random password and store your password in a password manager.
- Websites and software should always store user passwords as a salted hash to prevent the hashes from being cracked and used in a rainbow attack if they are stolen.
- Websites can use techniques such as rate limiting to monitor how many passwords have been attempted and throttle the number of attempts that can be tried against.
- Websites can use ambiguous error messages to prevent attackers from gaining information from the outcome of a brute force attempt.
