Brute-force attacks explained, and why they are on the rise

The surge in remote work has rekindled interest in brute-force attacks, but a few simple steps can make your organization less of a target for them.

A digital bomb with lit fuse in an environment of abstract binary code.
The Lightwriter / Getty Images

Brute-force attack definition

A brute-force attack sees an attacker repeatedly and systematically submitting different usernames and passwords in an attempt to eventually guess credentials correctly. This simple but resources-intensive, trial-and-error approach is usually done using automated tools, scripts or bots cycling through every possible combination until access is granted.

“This is an old attack method, but it is still effective and popular with hackers,” says David Emm, principal security researcher at Kaspersky. “Brute-force attacks are often used to target devices on remote networks to obtain personal information such as passwords, passphrases, usernames and personal identification numbers (PINs).”

However, the longer the password and the stronger the encryption on the saved credentials, the amount of time and computing power needed, so it is possible for organizations to decrease the efficiency of the attack to the point is almost impossible for attackers to execute successfully.

In 2017 both the UK and Scottish Parliaments fell victim to brute-force attacks, while a similar but unsuccessful attack occurred on the Northern Irish Parliament a year later. Airline Cathay Pacific suffer a brute force attack a year later for which it was fined £500,000 [~$630,000] by the UK’s data regulator due to lacking sufficient preventive measures. Ad blocking service Ad Guard also forced a reset of all user passwords after suffering a brute-force attack.

How brute-force attacks work

Brute-force attacks are often carried out by scripts or bots that target a website or application’s login page. They cycle through every possible key or password. Common applications include cracking passwords on websites or applications, encryption or API keys, and SSH logins.

A password cracking attack is only one step in an attacker’s kill chain, according to Emm. It can be used to gain access to user, email, banking or SaaS accounts or to compromise APIs or any other service that requires a login and credentials.

From there the attacker can perform their intended goal. “A successful brute-force attack gives cybercriminals remote access to the target computer in the network,” explains Emm. “The primary goal for these attackers is to obtain personal information which can then be used to access online accounts and network resources. From there, these can either be used to send phishing links, spread fake content, or even harvest credentials to sell on to third parties.”

“The process of guessing a password for a specific site can be a laborious and time-consuming task, so hackers have since developed tools to help do the job faster,” says Emm. “Automated tools are also available to help with brute-force attacks, with names like Brutus, Medusa, THC Hydra, Ncrack, John the Ripper, Aircrack-ng and Rainbow.”

“Many can find a single dictionary word password within one second. Tools like these work against many computer protocols (like FTP, MySQL, SMPT, and Telnet) and allow hackers to crack wireless modems, identify weak passwords, decrypt passwords in encrypted storage and translate words into leetspeak; ‘don'thackme’ becomes ‘d0n7H4cKm3,’ for example.”

A brute-force attack’s success is measured in the time it takes to successfully crack a password. As a password’s length increases, the time required to crack it increases exponentially. According to Cloudflare, a seven-character password would, at a rate of 15 million key attempts per second, take 9 minutes to crack. A 13-character password would take over 350,000 years.

Likewise, the longer an encryption key, the more time and resources required to overcome it through brute force. A 128-bit encryption key has 2128 possible combinations, while with 256-bit encryption, an attacker would have to try 2256 combinations. With current technology that would take trillions of years to guess them all.

“Depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years,” says Emm. “In fact, IBM reports that some hackers target the same systems every day for months and sometimes even years.”

Even if attackers use graphics processing units (GPUs), which can significantly speed the number of combinations attempted per second, increasing the complexity of the passwords and using strong encryption can make the time needed to crack a password beyond anything feasible.

Types of brute-force attacks

Traditional brute-force attacks: An attacker tries every combination possible.

Reverse brute-force attacks: A small number of common passwords are repeatedly tried against many accounts.

Credential stuffing: An attack attempts to use stolen usernames and passwords from sites or services to hijack accounts on other services and applications.

Dictionary attacks: An attack cycles through words from a dictionary or common passwords from other data breaches.

Rainbow table attacks: Using a pre-computed dictionary of plaintext passwords and their corresponding hash values, attackers determine passwords by reversing the hashing function.

Remote work increases brute-force attacks

According to Verizon’s Data Breach Investigations Report 2020, less than 20% of breaches within SMBs involve brute force, and less than 10% for large organizations. This trend had remained largely unchanged from 2019 and 2018 iterations of the report, but the coronavirus pandemic may have changed the landscape.

“As a result of the COVID-19 pandemic, businesses worldwide have adopted remote working policies, which has had a direct impact on the cyberthreat landscape,” says Kaspersky's Emm. “Following the mass transition to home working, cybercriminals have logically concluded that the number of poorly configured RDP [remote desktop protocol] servers would increase, hence the increase in attacks.”

“Since the beginning of March, the number of Bruteforce.Generic.RDP attacks has rocketed across the globe and attacks on remote-access infrastructure are unlikely to stop any time soon — given how many corporate resources have now been made available to remote workers.”

How to secure against brute-force attacks

While no one technique is foolproof against a brute force attack, organizations can take many measures that require more time and computing resources for the attack, making your business a less appealing target:

  • Use long and complex passwords that are encrypted (ideally with 256-bit encryption).
  • Salt the password hashes. Emm advises that strings should be stored in a separate database and retrieved and added to the password before it is hashed so that employees with the same password have different hashes.
  • Have good password policy messaging to employees around password complexity and password reuse across multiple accounts.
  • Limit log-in attempts during a certain timeframe or require a reset after a certain number of incorrect attempts.
  • Rate-limit the time it takes to authenticate a password.
  • Enable captchas.
  • Enable multi-factor authentication where possible.
  • Consider using a password manager

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies