Arguably being one of the oldest cybercrime techniques in the book, the brute force attack remains one of the biggest cybersecurity threats in the world today. It is simple with a high success rate and very low overall risks, making it a favorite among cybercriminals.
Here, we will discuss the brute force attack, its variations, and how to effectively prevent them.
What Is a Brute Force Attack?
As the name suggests, the brute force attack involves trying username and passwords over and over again, exhausting all the possible combinations to gain unauthorized access to an account or system. The appeal of the brute force attack is its simplicity, and with the advancements in technology, it can be done at a much faster rate than ever before.
Typically a cybercriminal will employ the use of automated software (bots) and scripts to perform the brute force attack, repeatedly in a very fast manner compared to humans. The motivation for a brute force attack may include stealing sensitive and/or valuable information, performing DDoS attacks, infecting the system with malware, and others.
Some attackers, however, might attempt the brute force attack manually, especially when they are already in possession of known user credentials. Many defense measures have been developed and deployed to counter brute force attacks, but the hackers and cybercriminals have also retaliated, creating many different techniques and variations of the brute force attack, as we will discuss below.
Different Types of Brute Force Attacks
While there are many different variations of brute force attacks at the moment, here are some of the most common ones:
- Simple brute force: using a basic systematic approach to guess the username and/or password. For example, if it’s an 8-digit password, the bot might try “aaaaaaaa”, “aaaaaaab”, “aaaaaaac”, and so on.
- Dictionary attack: creating a list (dictionary) of commonly used strings or phrases, and trying them one by one.
- Hybrid brute force: combining dictionary attack with simple brute force attack, starting from a dictionary of possible strings, and then modifying the characters one by one as in a simple brute force attack.
- Rainbow table brute force: a technique developed to perform brute force attacks on hashed passwords (with cryptographic hashes). A ‘rainbow table’ is a precomputed list used to guess a hash function up to a certain length.
- Reverse brute force: a common brute force attack attempts to guess the password for a known/commonly used username. A reverse brute force attack uses the opposite approach: trying commonly-used passwords against many possible usernames. Might be used together with a credential stuffing technique (more of it right below).
- Credential stuffing: uses previously known credentials (username-password pairs) on another site. Many hackers are selling stolen credentials on the dark web and various forums, and credential stuffing works on the fact that many users use the same username-password combination across different systems.
Impacts of Brute Force Attacks
As you might have guessed, although brute force attacks are relatively simple to execute, they can take a long time before a single attack comes to fruition. So, what’s the motivation behind it? What is the potential impact of these brute force attacks that might be profitable for these criminals? Here are a few:
- Stealing sensitive and valuable data
The cybercriminal is attempting to gain unauthorized access to accounts to steal identity, financial information, or sell the account’s credentials for profit. There are also cases where the whole database of an organization has been exposed from seemingly simple brute force attacks.
- Exploit the website for profit
After a successful brute force attack, attackers might exploit the website to gain profit, for example:
- Rerouting the site’s traffic to spam ad sites (to collect money from fraud ads)
- Putting spam ads on the site and make money each time the ad is clicked or viewed
- Infecting the site with activity-tracking malware, and then sell the gathered user activity data to third-party buyers
- Spreading malware
The attacker might spread malware to your system and turn it into a botnet. Your visitor’s computers might also be infected by the malware, ruining your site’s reputation.
How To Prevent Brute Force Attacks
Brute force attacks, as discussed, are relatively simple, but can be very difficult to defend against. Here are some effective prevention tactics you can implement:
1. Stronger Passwords
Fairly obvious, the best and arguably the easiest way to prevent brute force attacks is to use stronger passwords and to use unique passwords for different accounts. However, it might be staggering that according to Google, 52% of surveyed users reuse their passwords, and many of them are using weak credentials.
You should use a strong password with at least 10 characters that combine uppercase, lowercase, numbers, symbols, and spaces. You can also use various password managers and random password generators to further minimize risks.
Some additional methods you might try:
- Multi-factor authentication: requiring other information besides the password-username combination before people can access their accounts (iris scan, fingerprint, USB dongle, etc. ) This will ensure that even when the brute force attack is successful, the attacker can’t access the account.
- Hashed passwords: administrators should randomize password hashes by adding salt (a randomized string of letters and numbers) to the password. The ‘salt’ should be stored in a separate database and must be added to the password before it’s hashed. Also, make sure to encrypt the system administrator passwords with the highest encryption rate possible.
- Educate: minimizing human errors is very important in ensuring password best practices. Educate your employees on using unique, strong passwords and educate them on using password managers for convenience without sacrificing security.
2. Advanced Bot Detection System
Since brute force attacks are typically executed by bots and automated software, having a bot detection and management solution can significantly help in lowering the risks of brute force attacks.
A good bot detection solution can quickly identify behaviors that indicate brute force attack attempts, and quickly mitigate or completely block the traffic. Another important consideration is that the bot manager should still allow legitimate human traffic to access your site and not ruin your UX.
DataDome’s anti bot software, for example, can deploy itself in minutes and detect brute force attacks in real-time while running on autopilot. You will receive notifications when your site is under attack, but you wouldn’t need to do anything.
3. Monitor and Limit When Needed
Watch accounts in real-time at all times for strange activity. Peculiar login locations, for example, is a strong sign that a user account has been compromised. Another strong sign of brute force attacks is repeated login attempts, so you might want to limit your login attempts and throttle this client’s activity.
Limiting login attempts is the most basic (but effective) way to prevent brute force attacks. In theory, a brute force attack will always be successful given an infinite amount of attempts and unlimited time. So, by limiting login attempts, it will limit attackers from making these attempts.
Consider blocking the IP address after a specific amount of failed login attempts.
Brute force attacks can be a serious cybersecurity threat for any websites—big and small—, and there are many different types and methods that can be very challenging to defend against.
While there’s no one-size-fits-all approach to defend your site against brute force attacks, having an advanced bot management solution like DataDome is arguably the best practice in defending against these attacks.
This is considering most attackers today are employing the use of bots and automated software to perform their brute force attacks. By quickly detecting bots and limiting/blocking them, we can successfully prevent even the most advanced brute force attacks.
About the Author
Mike is passionate about all emerging technologies in the IT space and loves to write about all of them. He is a lifetime marketing and internet expert with over 10 years of experience in web technologies, SEO, online marketing, and cybersecurity.