A brute force attack is a popular cracking method that involves guessing usernames and passwords to gain unauthorized access to a system or sensitive data. While a relatively simple, brute force methods continue to have a high success rate and account for over 80% of attacks on web applications.
While some attackers continue to perform manual brute force attacks, most use automated tools and scripts that leverage commonly used password combinations to bypass authentication processes or try to access encrypted data by searching for the right session ID. Other common targets for brute force attacks are API keys and SSH logins.
What is the purpose of a brute force attack?
Brute force attacks can also occur in the early stages of more sophisticated cyberattacks, typically as a form of reconnaissance or initial infiltration into the first layer of security.
To launch a cyberattack attackers need to gain a point of entry. Brute force techniques are a "set and forget" method of gaining access.
If the brute force attack works, attackers can use privilege escalation or abuse poor access control to gain additional access. This is why strong passwords, defense in depth, and the principle of least privilege are important parts of any cybersecurity strategy.
What does a brute force attack look like?
It's not uncommon to get an email from a third-party vendor or service provider telling you that someone has attempted to log into your account from a random location.
When this happens, it can be an indication that you've fallen victim to a brute force attack. If this happens to you, we suggest updating your passwords immediately.
In fact, many security-conscious organizations will rotate or change passwords on a regular basis to minimize the risk of undetected or unreported brute force attacks.
If you suspect your organization or your users are under attack, here are some things to look for:
- Multiple failed login attempts from the same IP address
- Login attempts with multiple usernames from the same IP address
- Multiple login attempts for a single username coming from different IP addresses
- An unusual pattern in failed login attempts such as sequential alphabetical or numerical patterns
- An abnormal amount of bandwidth being used after a successful login attempt which could signal that someone is downloading sensitive data
Brute force attack examples
Brute force attacks happen all the time and there are numerous high profile examples:
- Alibaba: In 2016, attackers used a database of 99 million usernames and passwords to compromise nearly 21 million accounts on Alibaba's eCommerce site TaoBao in a massive brute force attack.
- Magento: In 2018, up to 1,000 open-source accounts were affected by brute force attacks that took advantage of weak passwords to steal information and distribute malware.
- Northern Irish Parliament: In 2018, several members of the Northern Irish Parliament were victims of brute force attacks.
- Westminster Parliament: A brute force attack in 2017 led to up to 90 email accounts being compromised.
- Firefox: In 2018, it was revealed that Firefox's master password feature could be easily brute-forced.
What are the types of brute force attack?
- Simple brute force attacks: A generic type of attack that can use different, systematic approaches to guess possible passwords but does not apply any underlying logic. This is typically used on local files as there is no limit to the number of attempts
- Dictionary attacks: This type of brute force attack uses a list of common words and passwords instead of randomly iterating. This can improve the success rate over pure brute force password cracking but often requires a large number of attempts against possible targets to guess the correct password.
- Hybrid brute force attacks: A hybrid attack uses both a dictionary attack and regular iterative patterns. Instead of trying all possible combinations, it will perform small modifications to words in a dictionary, such as adding special characters or changing the case of letters.
- Rainbow table attacks: A precomputed table for reversing cryptographic hash functions, used to guess a function up to a certain length consisting of a limited set of characters
- Reverse brute force attack: Uses a collection of common passwords against many possible usernames to gain access. Typically targets users who are known to use weak passwords
- Credential stuffing: Uses username-password combinations exposed in the biggest data breaches, data leaks, or phishing scams and tries them on multiple websites. Credential stuffing can have a good success rate as people reuse the same username and password across web applications.
How to prevent brute force attacks
As brute force attacks don't rely on vulnerabilities or exploits, keeping software up to date isn't enough to protect yourself. A few common methods you can use to prevent brute force attacks:
- Use strong passwords
- Restrict access to authentication URLs
- Limit login attempts
- Use CAPTCHAs
- Enforce two-factor authentication
Use strong passwords
Brute force attacks rely on reused or weak passwords. Passwords that have the following characteristics can prevent brute force attacks:
- Unique: Avoid reusing passwords, even if they are complex passwords as websites can be compromised and passwords can be cracked. By reusing passwords, you're giving attackers an easy way to gain unauthorized access to your accounts on other websites.
- Long: All else equal, longer passwords are harder to crack than shorter passwords. For example, a nine-character password takes significantly longer to brute force than an eight-character password, and an eight-character password takes significantly longer than a seven-character password. Once character count is beyond a certain point, brute-forcing a properly randomized password becomes unrealistic.
- Complex: While simple passwords are easy to remember, they are also often simple to crack. We suggest using a password manager to generate robust passwords for you.
Restrict access to authentication URLs
For a brute force attack to work, it needs to be able to test the credentials against a login page. Many automated URLs use the default login page URL and scan the web for victims.
For example, a brute force attack tool might scan the web for WordPress sites and navigate to /wp-login.php, WordPress' default login page.
Changing /wp-login.php to /yoursite-login can be enough to mitigate the risk of many automated attacks. Unfortunately, this won't work for more targetted attacks or if the page is linked from other parts of your site.
Limit login attempts
Brute force attacks rely on being able to attempt multiple passwords and accounts in a single session. Consider using lockout functionality to restrict the number of times an incorrect login can be tested.
A common way to do this is to temporarily ban an IP address from logging in after three failed attempts, where subsequent failures are banned for longer and longer periods.
A CAPTCHA is a type of challenge-response test used in computing to determine whether or not the user is human. By using a CAPTCHA solution, you can prevent bots and automated tools from testing username and password combinations on your website by forcing them to complete a challenge before submitting the form.
reCAPTCHA is a free security service that protects your websites from spam, abuse, and brute force attacks provided by Google.
Enforce two-factor authentication
Two-factor authentication prevents the compromise of a single authentication factor (like a password) from compromising the account. The mechanism typically works by requesting the traditional login information, then sending a confirmation to a device, usually a smartphone, such as a text, phone call, or in-app security verification screen.
Ideally, only the authorized person would have the smartphone and could then accept or reject the authentication requests as necessary. More advanced mechanisms can require bio-authentication, such as a fingerprint swipe, which prevents lost or stolen phones from being used to falsely issue confirmations.
Popular brute force attack tools
There are a number of popular brute force attack tools:
- THC-Hydra: Runs through a large number of password combinations via simple brute force or dictionary-based attacks, and can attack more than 50 protocols and multiple operating systems.
- Aircrack-ng: A network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It can be used on Windows, Linux, iOS, and Android and uses a dictionary of widely used passwords to breach network security.
- John the Ripper: A free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms.
- L0phtCrack: A password auditing and recovery application used to test passphrase strength and to recover lost Microsoft Windows passwords by using dictionary, brute-force, hybrid, and rainbow table attacks.
- Hashcat: A password recovery tool that was a proprietary codebase until it was open-sourced in 2015. Examples of Hashcat-supported hashing algorithms are Microsoft LM hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, and Cisco PIX.
- DaveGrohl: A brute force password cracker for MacOS. It supports all of the standard Mac OS X user password hashes (MD4, SHA-512 and PBKDF2) used since OS X Lion and also can extract them formatted for other popular password crackers like John the Ripper.
- Ncrack: A Unix password cracking program designed to allow system administrators to locate users who may have weak passwords vulnerable to a dictionary attack.
How UpGuard can prevent brute force attacks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security operations.
UpGuard BreachSight's identity breaches module searches for third-party data breaches on the open, deep, and dark web and shows you where an employee's credentials have been exposed.
If we find a match, we will add the breach name, risk, data exposed, date of breach, publish date, notification status, and number of employees exposed to your UpGuard account.
The severity of a breach depends on the type and amount of data exposed. As an example, a data breach that includes passwords could result in attackers gaining unauthorized access to your organization using the exposed credentials.
This example requires that employees reuse passwords across services, which is not uncommon.
We can also help you assess your other security controls by monitoring your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.