Cyber criminals have many sophisticated techniques to hack people’s devices and steal their login credentials, but one of their most successful methods is also their simplest: brute force.
In this blog, we explain how brute force attacks work, why they differ from methods such as phishing and malware, and the ways organisations can prevent intrusions.
What is a brute force attack?
A brute force attack is a method of criminal hacking that involves breaking into a system by guessing usernames and passwords.
Fraudsters do this through trial and error. They know that many people use commonly used passwords, so it might only take them a few attempts to correctly guess the login credentials.
According to one report, only 15% of passwords are unique, which means the majority of credentials are used on multiple systems. Meanwhile, some passwords, such as ‘123456’, ‘qwerty’ or ‘password’, are used countless times.
Cyber criminals can also use automated tools that can run through thousands of passwords each minute. They will use a combination of common or otherwise known usernames (with the information obtained in a previous data breach) and a bot that runs through a database of login credentials until they find a correct match.
The attacks take almost no effort on the attackers’ behalf, and given the volume attacks they can conduct, it makes brute force a popular and successful method of cyber attack.
Types of brute force attacks
Brute force describes a general technique for cyber crime. Within it, there are several specific methods that an attacker might use:
- Simple brute force attacks
A simple brute force attack is one in which the criminal hacker manually guesses a user’s login credentials. They don’t rely on software tools, instead typing in frequently used passwords.
The hacker might also guess passwords based on what they know about the individual. For instance, many people pick passwords based on specific things about them, such as a pet’s name or the football team they support.
If the hacker knows this information, they might suppose the individual has chosen a password based on this.
- Dictionary attacks
A dictionary attack works on the assumption that the individual’s password is based on a standard word in the dictionary.
This gives the attacker a list of possible login credentials, and they can use a bot programmed with this list of words to run through all possible permutations.
- Hybrid brute force attacks
A hybrid brute force attack combines a dictionary attack with simple brute force.
These attacks can occur when the criminal hacker obtains a valid username and is trying to crack the password. They might start with a list of common words, then experiment with character, letter and number combinations.
This technique enables them to create slightly more sophisticated versions of common passwords, where – for example – a pet’s name or the city they live in is supplemented with a number or a relevant year.
- Reverse brute force attacks
Whereas a standard brute force attack attempts many possible passwords against a single username, a reverse brute force attack sticks with one common password (such as ‘123456’) and runs it through a database of usernames.
A reverse brute force attack can also be used when the attacker has discovered a list of passwords in a security breach. They can then use known passwords to search for a matching username.
- Credential stuffing attacks
Credential stuffing works on the assumption that people reuse the same passwords on multiple systems.
If a criminal hacker breaches one account, they can try the same login credentials elsewhere.
How weak passwords enable brute force attacks
No matter what technique cyber criminals use, their attacks are made possible because of people’s bad password practices.
The biggest problem is that people often don’t follow recommendations for creating passwords. You must always use a unique word or phrase and avoid common patterns, such as ‘123’, ‘abc’.
Likewise, you should avoid passwords that are based on things from your life that someone might know or be able to look up online. Your pets’ names, memorable dates, the city you were born in, or details related to hobbies should not be used for a password.
In the past, password guidance has suggested that people obfuscate their password with character substitutions. For example, a phrase with the letter ‘o’ in it might be replaced with the numeral ‘0’, while the letter ‘a’ might be replaced with a ‘4’.
This guidance stemmed from password mechanisms requiring people to use a combination of letters, numbers and special characters, which supposedly made them harder to guess.
Such advice works in theory. The more possible inputs you have, the harder it is for a malicious actor to guess the right combination. So instead of just 26 letters to choose from, there are an additional 10 letters and 32 special characters (such as @, #, +, -, and so on).
The problem is that people used letters and special characters in predictable ways, meaning cyber criminals could easily guess which substitutions someone might use.
In the process, it has made it harder for people to remember their own passwords, so they either write them down somewhere – creating a new threat vector – or they reuse their one, seemingly secure password, on multiple accounts.
This creates the second major problem. cyber criminals often discover someone’s password by breaking into an organisation’s systems and stealing its databases. Alternatively, they might purchase information on the dark web that someone else has stolen.
This can cause enough damage by itself, but criminal hackers know that people reuse passwords on multiple accounts. They might therefore target systems with relatively weak security where the accounts don’t contain particularly sensitive information, and then use the stolen credentials on higher-value targets.
This has the potential to turn one data breach into several, with the attacker leveraging information stolen on one account to break into, for example, an online bank account or work account.
How to prevent brute force attacks
The best way to prevent brute force attacks is to ensure that you have a strong password and protect it adequately.
Traditional guidance of combining letters, numbers and special characters has gone out of fashion in recent years, because it has made passwords harder to remember without being substantially more secure.
Instead, cyber security experts say that you can strengthen your passwords by making them longer. The more letters there are, the more potential combinations there are.
One popular technique is to combine three unrelated words of at least six letters. The chances of a cyber criminal guessing all three words in the right order are exponentially higher than guessing one word, and the combination can be easily memorised if you create an image of it in your mind.
For more tips on creating a strong password and preventing brute force attacks, take a look at our Cyber Security Staff Awareness E-Learning Course.
This e-learning course explains the dos and don’ts of password security, and details other essential security tips that your staff should be aware of, such as the threat of phishing and how to handle sensitive documents and portable devices.
You can use the information to inform your security policies and ensure that your employees become an asset, rather than a liability, when it comes to the threat of cyber crime.