Even after applying all the best security practices, cybercriminals still continue to expand and improve their knowledge to violate them somehow. The brute force attack is one of the easiest and most effective types of hacking attacks to compromise one’s online account.
Although it is not possible to completely avoid these types of attacks, we recommend you take a look at this article that will explain what they consist of. In addition, we are going to recommend the measures that all IT support should apply for more secure management of the passwords of the users of a business network.
What is a brute force attack?
Brute force attack is a common type of hacking attack in which the cybercriminal makes several attempts to guess the username and password of an application or service.
You might think that this is an extremely laborious activity, requires many resources and many hours. Well, in real life, automatic tools are used to carry out this work. Making use of automated scripts and powerful computers with very good CPU and GPU are needed to speed up this attack process as much as possible — to be able for them to test all the possible combinations of credentials in the shortest possible time.
It does take a lot of computing resources. A basic personal computer would take a long time to crack a password using any of the tools that automate brute force attacks, as they have millions of credential combinations. So, computers used for these attacks should be equipped with the best CPU, RAM, and GPU power.
These types of attacks target all types of web applications, websites, and related services. Once the credential combinations are hit, multiple types of personal data can be accessed. Of course, most attacks have to do with banking, financial, and commercial. Likewise, any type of data that can identify you can be very useful to an attacker to obtain some type of revenue, especially economic profit.
How effective are brute force attacks?
The truth is that carrying out a brute force attack requires a lot of talent and tenacity — because it can never be predicted with complete certainty how long a successful brute force attack might take. In other words, hackers can take anywhere from a few minutes to years to crack code using them, all always depending on the length and complexity of the password they want to break.
For this reason, the general recommendation is to create passwords of considerable length, that is, at least 8 characters, including uppercase, lowercase, special characters, and digits.
Brute force attack types
Next, we will list the most common types of brute force attacks — from the simplest to carry out to the most complex.
Traditional way
In it, a cybercriminal tests the largest number of user and password combinations manually. The number of combinations that you could try depends on factors such as the origin of the users you have targeted, the personal data you know about them, and you can also use dictionary-type programs. The latter facilitates the generation of combinations, saving the time it would take to think about such combinations.
Reverse attack
A type of attack that is usually very effective is the reverse attack, which does not require much effort. Its method consists of testing a few different password combinations on large groups of users.
Why would this variant of the brute force attack be chosen? Many users still keep very easy-to-guess passwords. Likewise, those users who receive or have access to the default username and password (for example, Wi-Fi routers) are used to not changing them. That particular time saving that occurs by not changing passwords, especially, makes devices vulnerable to attacks.
Another situation worth discussing is those who use CCTV security cameras. They have a web or mobile interface with a specific username and password. Of course, it is advisable to change both the username and the password. However, many people do not do this and largely expose malicious people to access and control their cameras.
Shodan is a well-known web portal that is known for its ease of locating any computer that has a public IP address, which means traceable on the internet. Precisely, one of the most popular searches consists of security camera management interfaces, especially those that keep their access credentials by default. Of course, this is an invaluable source for any cybercriminal who wants to violate these security systems. Also, many companies and individuals use tools like this for professional and educational purposes. This can even help determine strategies to better protect any traceable device on the network.
Rainbow table attack
Rainbow table attack starts from the hash value to reproduce the steps of the chain until obtaining the password. However, many times the value is not in the table, so it is recreated by reducing the value with the same function with which the string was created. This procedure is repeated until the summary value is reached at an endpoint.
Now, that does not mean that the password has been found, but the character string that at the end — it will end up revealing the plain text that makes up the password.
They are called Rainbow Tables because a different color is assigned to each reduction to avoid confusion. In the end there are so many reductions with their respective colors that it ends up looking like a rainbow.
Dictionary attacks
It is not really a brute force attack that tests all possible combinations, but dictionaries are one of the main tools for any cybercriminal who executes password cracking attacks.
What does it consist on? They are sets of phrases that are generated from certain rules. For example, the potential passwords are numeric, alphanumeric series or different special characters as each password is generated.
Wifislax is a popular Wi-Fi network hacking tool, where you can find a complete suite of tools and gain comprehensive knowledge about it. Among the tools available are dictionary generators. We reiterate the fact that these programs can consume a lot of computing resources.
How to protect your accounts effectively from brute force attack?
In addition to the typical advice on choosing secure passwords, it is good to mention the measures that everyone responsible for managing network users must follow. An interesting best practice is that passwords are never stored in the databases, only the password hashing, and if possible, a password-oriented hash is used.
On the other hand, you shouldn’t neglect password creation policies. Not only is it important to raise awareness about the use of strong passwords, but the policies themselves urge messages about whether the password is strong enough. Likewise, they must indicate if they are complying with all the rules for creating said passwords. As long as the user wants to log in to their work environment within the company or remotely, they must limit the number of attempts for a certain time and that, for example, after three attempts, it is already blocked login and perform a reset.
According to the application, service, or resource in which the user is logging in, it is better to use CAPTCHA and Multi-Factor authentication methods. This is extremely useful to ensure that the legitimate user himself is the one who is logging in.