What is a Brute Force Attack? Definition, Types, Prevention Best Practices, and More Skip to main content

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

What is a Brute Force Attack? Definition, Types, Prevention Best Practices, and More

by Chris Brook on Monday November 7, 2022

Contact Us
Free Demo
Chat

Brute force attacks may seem old and simplistic but they're still effective. Read this blog to help your organization better understand and defend against them.

No one wants their network hacked, and companies want to prevent their data from being stolen or used against them to protect their business reputation and avoid the costs of recovering from a data breach. The idea of a hacker manually typing in usernames and passwords might seem unrealistic now, but that doesn’t mean the old techniques can’t still be used. So what is a brute force attack — and how can you protect yourself against it?

What is A Brute Force Attack?

A brute force attack is a hacking technique that works on the trial and error method. Using this method, the hacker will enter all combinations of keys to find the right password. In simple terms, if a hacker tries to access your email, they will try all types of usernames and password combinations to gain access to your account.

It’s an old and simple technique, but it’s still effective, especially against users who have weak passwords. Depending on the complexity and the length of the password, a successful brute force attack can take anywhere from a couple of seconds to several years.

Types of Brute Force Attacks

There are several types of brute force attacks.

  • Simple Brute Force Attack:

A typical brute force attack uses scripts and tools to make hundreds of guesses in a second. Passwords like “password” or “123456” can be cracked in a few seconds. In fact, there are computer clusters that can make up to 350 billion guesses per second. With speeds like this, any password can be cracked within minutes.

  • Dictionary Brute Force Attack:

A dictionary attack uses combinations of words that are present in the dictionary. It also uses numbers and special characters. There are dictionary software tools available that interchange lower and upper case letters and replace alphabets with similar symbols such as “a” with “@”.

  • Reverse Brute Force Attack:

In a simple attack, the hacker will begin with a known key (for example, an account number or username). Then they use automation to find the password. In a reverse attack, the attacker knows the password but not the username. So they create combinations to find the username.

  • Credential Stuffing:

Every year, hackers steal billions of passwords, and these credentials are then often sold on the dark web. A credential stuffing attack uses these passwords on multiple websites since people generally use the same password on many accounts. For example, if someone’s password on one gaming website is leaked, there’s a strong chance they’ve used the same username and password on other gaming websites as well.

  • Hybrid Attack:

In this attack, the hacker combines two or more types of brute force attacks. For example, they may use a dictionary reverse attack to find the username to a password. Or they may use credential stuffing with a dictionary attack to find the username and password of an account.

How Hackers Use Brute Force

Cyber attackers have automated tools that guess password combinations at super speeds. These password cracking tools are available on the dark web, along with other malware. Leaked credentials are also sold there, and it therefore only takes a little time for a hacker to set up their tools and start their attack.

A hacker can start an attack on their own or use a botnet. A botnet is made of hijacked computers that give processing power to the hacker without the knowledge of the legitimate users of the hijacked computers. Bot kits are also sold on the dark web, and are available for anyone to purchase.

Since botnets have the processing power of several computers, they are more powerful than a single computer, and can thus breach the networks of banks, educational institutions, medical centers, etc. It takes some resources to set up a brute force attack but when they are carried out, they can be extremely effective.

How to Stay Safe Against Brute Force Attacks

Hackers generally have a brute force mechanism that can guess hundreds of passwords in a second. Companies can stay secure from such attacks by following best practices, such as: 

  • Set up a protocol for strong passwords: Don’t allow your employees to have weak passwords. The system should reject passwords that have fewer than 8 characters. Also, the password should contain upper and lower case letters, plus numbers and special characters.

  • IT security training: All employees should be trained on password hygiene, and the use of dictionary-based words should be discouraged or even prohibited. Passwords with random characters are always more difficult to crack than dictionary-based passwords.

  • Limit login attempts: Since brute force attacks enter multiple values in just a few seconds to find which value fits, a simple login attempt limitation can help stop the attack. The system should lock down after a specific number of unsuccessful attempts.

  • Use multi-factor authentication (MFA): With multi-factor authentication, a user will have to enter more than just a password to access their account. This means that even if a hacker is able to crack the password, they will still not be able to access the account. Multi-factor authentication can be set up with biometric scanners and authenticator apps.

  • Use of password managers: Password managers create unique passwords that are hard to crack, and they have the added benefit of storing all the passwords so users don’t have to remember them. With a password manager, a user can have different and complex passwords for all accounts, which reduces the chances of credential stuffing attacks.

  • Implement captcha: A captcha verifies if the credentials being entered are done by a human or a bot. This stops brute force attackers from guessing several values in a few seconds.

  • Implement a User Activity Monitoring or Security Information and Event Management (SIEM) solution: These tools track user behavior to detect anomalies and generate alerts for behavior that could indicate a potential security issue or cyber-attack. In the case of a brute force attack, this type of behavior would be something like a single user making hundreds of login attempts within a few seconds.   

Conclusion

Companies must stay proactive and monitor their systems to ensure there are no brute force attacks, as once a hacker has entered the system, they will be much harder to stop. However, adopting the following methodologies can help to reduce your risk:

  • Strong password requirements

  • IT training

  • Login limitations

  • Password managers

Brute force attacks aren’t the only form of hacking, but taking the necessary steps to reduce your risk can go some way to ensuring the safety of both your network and your business.

Tags:  Passwords Authentication

Chris Brook

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.

Recommended Resources


The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business