What is a brute force attack?

A brute force attack is a cyberattack that uses trial and error to crack passwords, guess credentials, and figure out encryption keys. In a typical brute force attack, malicious hackers code bots to try guessing for as long as necessary until all possible combinations are tested. 

Imagine a persistent bot that attempts to guess your credentials. Instead of giving up after a few tries, the bot can keep trying for however long it takes until all possible combinations have been tested. That’s how a brute force attack works.

The potential consequences: an invasion of privacy, leak of sensitive information, or financial loss. In this article, we will cover how brute force attacks work, and what you can do to prevent them hitting your organization.

Contents

> Different Types of Brute Force Attacks

• Simple Brute Force Attacks
• Dictionary Attacks
• Hybrid Brute Force Attacks
• Reverse Brute Force Attacks
• Credential Stuffing

> Why do attackers carry out brute force attacks?

> Brute Force Attack Tools

> How to Prevent Brute Force Password Hacking

> Conclusion

Different Types of Brute Force Attacks

Cyberattackers have several aces up their sleeves, and use many types of brute force attacks to steal sensitive data.

Simple Brute Force Attacks

It doesn’t get any simpler than this. Before trying automation methods, an attacker might try their luck at simply guessing a user’s login credentials—no software needed. They’ll usually start with some common password combinations (e.g. password1234, 123456, 0000) before moving on to more informed possible passwords.

Targeted users can put their accounts at risk by using the same password for multiple accounts or simply by including names and dates that are easy to guess.

Dictionary Attacks

Dictionary attacks are brute force attacks that make use of semantics and past attacks to crack weak passwords. Unlike simple brute force attacks, they don’t go through an undefined number of unrelated passwords. Instead, they usually contain a limited, relevant, and well-selected number of words and phrases. Dictionary attacks can be done manually by the attacker or automated using bots.

An intruder might initiate a dictionary attack if they already know the user’s email or username. For example, if the target account used “jack20ny87” as a username, a hacker could easily determine that the account belongs to a user named Jack, born in 1987 and currently living in New York. Using information gathered through past data breaches, hackers might then cycle through passwords used by other similar usernames, adding special characters and switching up letters with numerals (and vice versa). Some examples include “Jackny21!”, “Jackny872021”, etc.

As more users create strong passwords, dictionary attacks are also much less likely to yield results.

Hybrid Brute Force Attacks

Hybrid brute force attacks combine simple and dictionary techniques to crack weak passwords. Using logic, mixed characters/numerals, and the attacker’s imagination, they can use tools to figure out simple combo passwords, such as “J4ck1234pass”, “Jackyankees87”, or “J4ck1987ny”.

Reverse Brute Force Attacks

In a reverse brute force attack, everything starts with a known password. Hackers use the known password as a starting point, going through millions of account usernames until they can find one that matches the known password.

Frequent data breaches enable reverse brute force attacks by exposing thousands of passwords and other types of personal data. Databases from organizations, companies, and even governments are vulnerable to breaches, and the biggest ones can make it onto mainstream news reports, catching the attention of attackers. 

Credential Stuffing

Many of us are guilty of using the same username and password for more than one website. The problem with having the same credentials across multiple accounts is that it leaves us vulnerable to credential stuffing.

Basically, if there’s a data breach on one of the websites you use, fraudsters might take your credentials and check them on thousands of other websites. This is why you’re often advised to change all your passwords if you learn that your credentials have been compromised. You can learn more about credential stuffing here.

Why do attackers carry out brute force attacks?

Brute force attacks are cumbersome and time-consuming. Cybercriminals can spend months (or even years) trying to crack passwords and gain access to user accounts because the rewards can be sizable.

When criminals gain access to a personal account, they can easily steal the user’s money, identity, or even sell the credentials to a third party. Many phishing scams begin with brute force attacks.

But it’s not just about stealing personal data. Malicious hackers can brute force websites for many other reasons:

• Exploiting ads, earning huge commissions by placing spam ads on popular websites. 
• Profiting from the sale of personal, sensitive data to advertisers without permission.
• Spreading malware through malicious links and websites, working their way up from user accounts to wider networks.
• Preparing for cyberattacks against bigger corporations. Once bots have infected several computers, attackers may be able to launch a distributed denial-of-service (DDoS) attack. 
• Targeting specific organizations in an attempt to tarnish their reputation or ruin them financially. 

The goal of brute force attackers is not to just acquire a few random credentials. If possible, they will use the credentials to launch wider attacks, threatening whole networks at a time.

Brute Force Attack Tools

Most cybercriminals use a range of tools to launch multiple attacks against a specific website or login page. They use bots to run through thousands of password combinations until they can find a way to access personal accounts. Rather than sitting around typing random strings of letters, numerals, and special characters, the attacks are slow, organized, and calculated. Here are some of the most common brute force attack tools out there:

• Aircrack-ng: This popular tool performs automatic dictionary attacks in an attempt to crack WiFi passwords. 
• John the Ripper: A free password-cracking software that runs on fifteen different platforms. It combines multiple password crackers and can be used to perform both simple and dictionary brute force attacks.
• Crack: A Unix password-cracking program that allows administrators to locate users with weak passwords. It was the first standalone cracker developed for Unix.
• Cain and Abel: Another password recovery tool developed for Microsoft Windows, simplifying and automating many attack methods. 
• Hashcat: One of the faster password-cracking tools out there. It can be used to launch simple and dictionary brute force attacks, hybrid attacks, and many other types of cyberattacks.

Brute force attacks require tremendous amounts of computing power. Cybercriminals often use several tools and computers as they attempt to quickly crack as many passwords as possible. They have also been known to make use of a botnet to distribute their attacks across tens, hundreds, or even thousands of devices.

How to Prevent Brute Force Password Hacking

You should never leave your website, web application, mobile app, or APIs vulnerable to increasingly common brute force attacks. Avoid data breaches and increase network security by encouraging the use of strong passwords in your organization. Ideally, employees should use complex passwords that contain a combination of random letters, numbers, and special characters.

If users in your company tend to switch between accounts often, you might also want to take advantage of an advanced password manager.

As an administrator, you can protect your organization from brute force attacks by:

• Introducing a lockout policy or progressive delays.
• Using a well-designed, privacy compliant CAPTCHA.
• Requiring strong passwords from all registered users.
• Advising users to change passwords every 6-12 months.
• Enabling two-factor authentication (2FA) or even multi-factor authentication, if possible.
• Using a bot detection solution to block credential abuse and account takeover bots.

Looking for more information on how to keep your business safe from attacks? Learn more about how to protect your website, servers, apps, and APIs here.

Conclusion

Cybersecurity should never be taken lightly. Brute force attacks come in many forms, and they can cause serious and irreversible damage to users, their assets, and even to whole networks and organizations, including your business. Cybercriminals utilize various tools and techniques to break into accounts, access sensitive information, and wreak havoc.

Prevention against cyberattacks is the only way to keep attackers at bay. Enable two-factor authentication, and encourage users to set strong and unique passwords. When processing payments and transfers, you should always send and request personal identification numbers to ensure maximum security. 

No single defense can ensure total protection against brute force attacks—it’s a matter of having a sensible security policy, and a number of different tools.