What is a Brute Force Attack?

What is a Brute Force Attack?

A brute force is a type of cyberattack that uses trial and error methods to guess login credentials, security keys or other sensitive information. Brute force attacks are surprisingly effective, especially given that about 65% of people reuse passwords. Reusing passwords is a dangerous and common practice, and one compromised password is all it takes to expose an entire system or group of credentials.

Brute force attacks are perpetrated against businesses and individuals alike, because, unfortunately, even employees reuse passwords. The average cost of a successful cyberattack is in the millions of dollars, and brute force attacks are becoming more common as more and more businesses adopt work-from-home practices for good.

How Brute Force Attacks Work

Brute force password attacks work by using software to “guess” credentials. Through trial and error, brute force attacks will input common dictionary phrases, commonly used passwords or specific letter and number combinations until they get a match.

Types of Brute Force Attacks

Simple brute force attacks

Simple brute force attacks use trial and error to try different combinations to guess login credentials. The attacker will use a high-powered computer to try every letter, number and symbol combination they can. While this may seem inefficient, some computers can process trillions of combinations at once.

Dictionary attacks

Dictionary attacks leverage simple dictionary words or phrases to crack user credentials. It’s advisable to use no words or phrases you can find in a dictionary, because a dictionary brute force attack may pick up on them and crack the password.

Hybrid brute force attacks

Using external logic, the software guesses which passwords will have the most success and then uses brute force to apply every combination.

Reverse brute force attacks

This method depends on a few selected common passwords. Lists of common passwords are easy enough to find online. Here's a list of 10,000. A reverse brute force attack uses a list like this to input these common passwords into multiple accounts hoping for a match.

Credential stuffing

Credential stuffing is one of the most effective brute-force methods. Lists with previously breached passwords can be bought on the dark web, and cybercriminals use them to “stuff” credentials in dozens of websites to see if there’s a match. Often, users don’t change passwords on all of their accounts even if they’ve been previously breached.

Why Brute Force Attacks Are a Threat

Brute force attacks are an especially dangerous cyberthreat because they allow a cybercriminal to force their way into several accounts at once. Methods like credential stuffing can attack thousands of accounts at once, and statistically, at least one will yield to the credentials.

Once credentials are verified, cybercriminals can gain access to all manner of accounts, from social media to bank accounts to government and business accounts with sensitive information.

How Remote Work Has Increased Brute Force Attacks

The COVID-19 pandemic forced thousands of businesses to adopt work-from-home models until further notice. This served as one of the greatest business experiments in history. Businesses who had never before supported a work-from-home model were faced with a harrowing dilemma: adapt or perish. And, in fact, thousands of businesses did perish, and those that did not faced new challenges in the form of cyber crime.

From January through December 2020, brute force attacks rose from about 200,000 to well over 1.4 million across the globe. With businesses essentially doing trial runs of work-from-home models, it created the perfect opportunity for cybercriminals to take advantage of unsecured remote desktops and poor password management practices.

How You Can Prevent Brute Force Attacks

Utilize automated tools

You can prevent brute force attacks with sophisticated automated tools. Businesses are already taking on brute force attacks and other malware threats using these tools. As threat detection becomes more sophisticated, it’s depending more on AI technology to detect, prevent and remove threats before they cause damage.

Bot protection can help monitor web traffic for suspicious activity and lock out users when an attack is suspected. Bots can also predict suspicious activity such as multiple login attempts and alert the victim before an attack is completed.

Brute force attacks are simple but often effective, especially if the individual or business doesn't have the right protections in place.

Remove Inactive Accounts

When an employee exits the company, it’s important to remove their account entirely to avoid unauthorized logins. Even if an employee’s account is deactivated, it still acts as a potential point of entry for cybercriminals. Inactive accounts should be terminated as soon as possible and their credentials wiped from the system.

Require 2FA/MFA on All Accounts

Two-factor or multi-factor authentication can be the saving grace in a brute force attack. When a password is used from a strange or undocumented device, it triggers an extra authentication step. This can involve a text or email verification link, a biometric entry or some other method. This adds an extra layer of protection to every account.

2FA and MFA tools are often integrated into password management platforms and other cybersecurity tools. Sysadmins should consider requiring MFA or 2FA for every account on the system to add an important layer of security.

Limit Login Attempts

Brute force attacks depend on multiple login attempts. Brute force hacking is limited when it can only make a limited number of attempts. Three login attempts is a good starting point. It’s just enough to leave room for someone who’s genuinely mistaken their login information and just low enough to lock out potential threats before they guess the password. After three failed attempts, lock the account entirely and require a sysadmin to restore access after verifying the user’s identity.

Throttle Logins

You can also slow down login attempts, requiring a countdown between failed logins. Combined with a login limit, this method can stop a brute force attack after three tries and limits how quickly the cybercriminal can input information. This helps signal the administrator of suspicious activity as well.

Ensure your passwords are strong and unique

By ensuring that you use strong, unique passwords for all your accounts, you’re making it more difficult for a cybercriminal to guess your passwords. Make sure you’re always utilizing complex passwords that include letters, numbers and symbols. The more complex the better.

You can use a password generator tool to help you generate strong, unique passwords for all of your accounts.

English (US) Call Us
Try it Free