A brute-force attack is a type of cyber-attack where the attacker tries out numerous passwords, passphrases, or security keys in hopes of eventually guessing one correctly and getting access to a system or a resource. This article focuses on passwords, but it's not the only type of brute force attack.
Brute-force attacks are one of the most common methods to crack passwords. They have been responsible for numerous account breaches across various platforms, including email services, social media platforms, and online banking systems.
Attackers like brute-force attacks, they’re easy to automate. With the advancement of technologies that speed up the attempt-generating process, such as graphics processing units (GPUs) and field-programmable gate arrays (FPGAs), they are increasingly less expensive to launch.
The term brute-force attack comes from brute-force search, a problem-solving technique that enumerates all possible solutions and checks whether each one works or not.
Types of brute-force attacks
A brute-force attack is when an attacker tries out all possible values of a password, until they find the correct one. However, there are a few variants.
Exhaustive password cracking
Trying all possible passwords is called exhaustive password cracking. How long does it take? Well, it depends on the length of the password, the size of the alphabet the password is made of, and the speed of the attacker’s computer.
Currently, the fastest password-cracking super-computers can check roughly $10^9$ passwords per second. Let's consider a few examples.
An 8-character password whose alphabet consists of digits, lower-case, and upper-case letters (so each character can be one of 62 possible characters), can be cracked in two and a half days. If we extend the password’s length to 10, cracking takes 26 years.
However, if a password consists of just lowercase, an 8-character password is cracked within 4 minutes, a 10-character password in just under two days, and a 12-character password is cracked in a bit over three years.
Admittedly, these estimates are a bit simplified. If you wanted to test a password against an actual system, the time to crack would be limited by the speed of the system and any additional countermeasures the system has. But the point still stands: trying out all possible passwords is increasingly easy and inexpensive.
However, such exhaustive cracking is needed only if users choose their passwords uniformly at random. Fortunately for attackers, this is seldom the case.
Dictionary attacks aren’t always brute-force attacks, but they often are. In a dictionary attack, the attacker uses common words (typically found in dictionaries), and their variations, to produce a list of password candidates.
Users often create weak, predictable, and short passwords. Many analyses show that the most common passwords today are
football, and similar predictable strings. All an attacker needs to do to reduce the search space is run through the list of common passwords, and they are likely to find a valid match.
Hybrid attacks combine dictionary-based and brute-force attacks.
They are often used when the attacker knows something about the victim: a username, a part of their password, or a common phrase within the password.
The main idea of this approach is to generate variations of some base candidate: take a word (or a combination of words) from a dictionary and add characters. For instance, a hybrid attack might generate password sequences such as
Reverse brute-force attack
In a reverse brute force attack, the attacker already knows a password, and tries to find the corresponding username. The attack simply consists of trying out usernames - either by taking them from a list or by generating them in a brute-force manner.
Attackers can learn this kind of information from a network breach, phishing attack, or similar.
Credential stuffing is an attack where attackers use usernames and passwords obtained in a successful attack on another platform.
The underlying assumption here is that usernames and passwords valid on one platform will also be valid on another. This works, because users tend to recycle usernames and passwords. A breach of information on one platform endangers users on another.
What can we do to protect ourselves against brute-force attacks?
As users, we can improve our passwords by:
- Using longer passwords.
- Using a larger alphabet.
- Choosing lower and upper-case letters, digits, and special characters.
- Choosing random-looking passwords.
- Using unique passwords on different platforms.
- Using multi-factor authentication.
These passwords can be harder to think of and harder to remember, however. A password manager can make it easier to generate and remember passwords across platforms.
A good alternative to a password is to use a a sequence of random words called a passphrase. Passphrases are easier to remember than totally random passwords and are much harder to brute-force due to their increased length.
If the platform supports multi-factor authentication, enable it. Multi-factor authentication, authentication that requires users prove their identity with two or more pieces of evidence, can thwart attacks even in cases when passwords are chosen poorly.
With multi-factor authentication, the attacker has to obtain both a valid username and password and additional authentication evidence, such as an SMS token. This additional work thwarts most brute-force attempts.
As platform providers
As platform providers, we can go even further to protect users against brute-force attacks:
- Require users choose good passwords by setting strong minimum requirements.
- Implement multi-factor authentication and offer it to users by default.
- Install intrusion detection systems and monitor invalid authentication attempts.
- Ban users performing brute-force attacks.
- Rate users to prevent excessive login attempts.
Brute-force attacks are an increasingly common form of cyber-attack. Fortunately, there are a variety of ways to discourage brute-force attacks and encourage better password generation.