What is a Brute Force Attack?
“Constant rubbing of a rope will cut a stone.” - Swahili Proverb.
A brute force attack attempts to guess a shared secret – such as passwords or encryption keys – by rigorously trying every possible combination. A combination of increased computational power and people’s propensity to use boilerplate passwords have contributed to the continued success of brute force attacks.
Once an attacker is successful with a brute force attack, their options for follow-on compromise include:
Impersonating the real user and enacting account takeover.
Exfiltrating sensitive data from the compromised account.
Moving laterally and installing backdoors for wider-ranging attacks to come.
Selling compromised account credentials to the highest bidder.
How brute force attacks work
Even very motivated attackers with lots of time are unlikely to manually carry out a brute force attack. They instead rely on automation, exploit kits purchased from the dark web, and botnets to do their bidding. Once the attacker has the tools and the lists they need, the brute force attack commences.
Brute force attacks can either be online or offline. In an offline brute force attack, the cybercriminal already has access to encrypted material or password hashes and uses powerful computers to decipher passwords from their hashes. This means the attacker isn’t actually attempting logins while carrying out the brute force attacks, thus avoiding any rate limiting or account lockdown measures in place.
Conversely, an online brute force attack involves the attacker programmatically trying a large number of username-password combinations on login forms in the hope that they get a match.
Attackers often use botnets in brute force attacks. Botnets, which are a network of Internet-connected devices that are controlled by the attacker unbeknownst to the device owners, can be set up by the attacker or purchased off the dark web. In 2020, a P2P botnet called FritzFrog attempted brute force attacks on a number of medical centers, banks, and educational institutions.
Brute force attacks usually occur in the earliest stages of the cyber kill chain and are the gateway to multi-stage attacks.
Also read: Broken Authentication 101
Types of brute force attacks
Brute force attacks take many forms:
Simple brute force attack
Simple brute force attacks use automation without any external logic to guess passwords. These attacks are predicated on the (sadly true) assumption that people use common passwords like 123456 or Password.
While the power of today’s computers makes guessing passwords more trivial than it was before, increasing the length and complexity of the password even slightly makes these attacks cumbersome for the cybercriminal to execute.
That said, it only takes one weak password for a brute force attack – and its follow-on ramifications – to be successful. In 2017, over 90 email accounts of UK parliamentary members were compromised after a “sustained and determined” cyberattack that attempted to identify weak passwords.
As the name suggests, a dictionary attack guesses usernames or passwords by using a dictionary of common words and phrases. These attacks can also leverage passwords that have been stolen and leaked from earlier data breaches.
While attackers can set up their own dictionaries, they usually rely on dictionary software that uses internal logic to substitute “passwordized” characters (e.g. @ instead of a, 5 instead of s) to improve chances of success. Dictionary attacks start with a smaller list of possible passwords than simple brute force attacks and are thus more likely to be effective.
Speaking of "passwordized" characters... if you're in the mood for guessing passwords for fun rather than frustration, play Passwordle.
Reverse brute force attack
A simple brute force attack starts with the cybercriminal knowing a user identifier (like an account number or username) and then trying to guess the associated password. In a reverse brute force attack, the cybercriminal knows the password and uses automation to find the associated user identifier.
Hybrid brute force attack
A hybrid brute force attack uses a combination of dictionaries and guesswork to achieve its end goal. The attacker uses a dictionary to start with a list of common phrases and then experiments with a combination of numbers and special characters appended to the phrase to guess the password.
These attacks are based on the assumption that, even when people try to create complex passwords, they tend to combine words with numbers that are either in sequence or relevant to them (e.g. London123, Jaguar2015).
Rainbow table attack
A rainbow table attack attempts to decipher passwords from their hashes by using a specific table called a rainbow table. A rainbow table is a precomputed database containing plaintext permutations of encrypted passwords and their associated hashes.
To better understand rainbow table attacks, it’s important to know how passwords are generally stored on databases. They are not stored in plaintext, but are rather encrypted using hashes. Since these hashes are static, an attacker can use rainbow tables to break even complex passwords. Salting a hash by adding an extra random value to every hashed password reduces the risk of rainbow table attacks.
In 2019, Julian Assange was indicted by the US Department of Justice for agreeing to break a password using a rainbow table attack.
While traditional brute force attacks try to gain access to a single account at a time, password spraying attacks try a single password on a large number of accounts before moving on to the next password and repeating the process. This method circumvents any account lockout measures in place after repeated login attempts on a single account.
In 2019, researchers observed a wave of brute force attacks that used a botnet of routers and servers to conduct IMAP-based password spraying attacks. They were successful 44 percent of the time.
In a credential stuffing attack, cybercriminals use stolen credentials from a data breach on one web application and try the same credentials on other unrelated web applications.
Credential stuffing attacks are based on two truths: the fact that people tend to reuse passwords across multiple accounts, and the fact that there are billions of leaked passwords available on the dark web. If someone is still reusing a password they first used a decade ago, it’s highly likely that the password has already been leaked and will be used in credential stuffing attempts.
Tips for brute force attack prevention
Here are some measures organizations can take to either prevent or contain the impact of brute force attacks:
Brute force attacks, whether simple or sophisticated, all exploit the inherent weaknesses of passwords. Using passwordless authentication prevents brute force attacks at the source by removing the very thing attackers are seeking. Passwordless authentication also improves the login experience for users and saves resources for organizations dealing with password storage and management.
Consider multi-factor authentication
For organizations not yet ready to move away from passwords altogether, implementing multi-factor authentication (MFA) is an effective way at containing the impact of brute force attacks. MFA enforces an additional factor after the username-password combination has been entered. Whether this is a one-time password sent via SMS or email, or a biometric check with a fingerprint, the attacker will not have access to any of them.
While MFA prevents the attacker from gaining access to the user’s account, it does not prevent the attacker from knowing that the username-password combination itself was successful.
Password and login hygiene
Rather than just expecting users to follow password best practices, organizations can institute measures on their web applications that require complex passwords and make it tougher for brute force attacks to execute. Some of these measures might include limiting the number of failed login attempts before account lockout, monitoring for breached passwords being used to log in, and introducing additional checks like CAPTCHA for suspicious traffic to weed out any bot-attempted logins.