Brute force attack: definition, types, and prevention

One in ten companies is targeted with a brute force attack weekly. Some of those attacks are successful, some – fruitless. What causes the distinction between the two? What helps to prevent a successful attack?

Learn to understand the brute force attack, recognize its types, and protect your data.

What is a brute force attack ?

A brute force attack is a commonly used password cracking method. It works in a trial-and-error pattern, trying out every possible username and password combination. Just as you tried every key from a keyring to unlock the doors, the hacker tries passwords.

The final goal is to guess the correct credentials, access the account, infect the site with malware, or disrupt the network.

How does it work?

A brute force attack is called so because it uses forceful attempts to crack the credentials and access your private account with ‘force.’

This is a relatively old but effective attack method. Because of that, some cyber criminals still execute the attacks manually. However, the majority of the attacks today are performed by bots and advanced software.

Is brute force illegal?

It depends.

For instance, when you forget your password and try out every possible combination, that counts as a brute force method, yet it has no legal issues. Similarly, if you try to guess your mom’s Facebook account credentials (with her approval), that is also perfectly legal.

Yet, if your mom did not know about it, or you tried to crack your best friend’s account for fun, that is a grey area. And it might have the potential for a criminal offense.

Lastly, if a brute force attack is performed with criminal intentions, it is against the law. Breaking into account to gain access to private data, sensitive files, or business networks is strictly illegal.

How does a hacker come up with passwords?

It is not that difficult to create a password worth a trial. Usually, hackers use passwords that are easy to guess or were used before.

Here is the logic behind selecting a suitable password for performing a brute force attack:

• Previously leaked passwords. Dark web forums are full of breached credentials. Any hacker can access and try them out on different accounts.

• Try weak passwords. Commonly used credentials such as 123456 and qwerty are always worth a try.

• Try common words and phrases. Such passwords as password, hello, or summer will be among the first ones that a hacker will try.

What are the types of brute force attacks?

Each brute force attack might use a different cracking method to breach your account. These are the standard types:

• Simple brute force attack – hackers try out easy-to-guess passwords (sometimes even manually). If your password is a common word like a password or a sequence of numbers like 1234567890, success rates are high.

• Hybrid brute force attack – the attacker uses logical reasoning to identify potential passwords. Usually, this attack focuses on likely credentials from the dictionary and tries out every additional special symbol or number. This type of attack would guess such passwords as Eva1977 or [email protected].

• Reverse brute force attack– as the name suggests, the hacker uses an already known password (from a dark web) to guess the correct username. If your username is admin, or your name, that makes things easy for a hacker.

• Dictionary attack – a cybercriminal tries out every commonly used word or phrase from a dictionary to guess the correct combination.

• Credential stuffing – the hacker reuses the combination of username and password that was once leaked in a data breach and dumped in a dark web.

How to protect yourself from a brute force attack ?

To protect yourself or your company from successful brute force attacks, apply these cybersecurity principles:

• Use strong, complex passwords for each account. Ideally, use a random password generator and create a password of a minimum of 15 characters long.
• Avoid using publicly available information for creating your password. For instance, date of birth or family names will be the first target.
• Turn on Two-factor authentication for (at least) sensitive accounts. If a hacker guesses the login combination correctly, he will not access the account without your approval.
• Never reuse passwords on multiple platforms. This will protect you from credential stuffing attacks.
• Use a password manager – this tool will allow you to create strong, random passwords and store them in an encrypted vault.