What is a Brute Force Attack? Type and Attack Prevention Tips
What is a brute force attack?
A brute force is a type of cyber attack that uses trial and error methods to guess login credentials, security keys or other sensitive information. Brute force attacks are surprisingly effective, especially given that about 65% of people reuse passwords. Reusing passwords is a dangerous and common practice, and one compromised password is all it takes to expose an entire system or group of credentials.
Brute force attacks are perpetrated against businesses and individuals alike, because, unfortunately, even employees reuse passwords. The average cost of a successful cyberattack is in the millions of dollars, and brute force attacks are becoming more common as more and more businesses adopt work-from-home practices for good.
Brute force attacks are on the rise
With malware attacks becoming more pervasive, we’re seeing an all-time high for everything from phishing attempts to ransomware to one of the most common kinds of cyberattacks: the brute force attack. The problem with brute force attacks is that they’re facilitated by their victims, many of whom reuse passwords, don’t use a password manager, or generally disregard the importance of passwords in cybersecurity.
Passwords form the backbone of basic cybersecurity. In many cases, the password can be an individual or organization’s best or worse cybersecurity measure. A great password can prevent brute force attacks and other malware, whereas a weak password can compromise an entire system.
Brute force attacks don’t just attack passwords, however. In this guide, we’ll cover the fundamentals of brute force attacks, including how to prevent them, the different attacks and password security tips for users of all experience levels.
Get Protected Now
Why brute force attacks are a threat
Brute force attacks are an especially dangerous cyberthreat because they allow a cybercriminal to force their way into several accounts at once. Methods like credential stuffing can attack thousands of accounts at once, and statistically, at least one will yield to the credentials.
Once credentials are verified, cybercriminals can gain access to all manner of accounts, from social media to bank accounts to government and business accounts with sensitive information.
How remote work has increased brute force attacks
The COVID-19 pandemic forced thousands of businesses to adopt work-from-home models until further notice. This served as one of the greatest business experiments in history. Businesses who had never before supported a work-from-home model were faced with a harrowing dilemma: adapt or perish. And, in fact, thousands of businesses did perish, and those that did not faced new challenges in the form of cyber crime.
From January through December 2020, brute force attacks rose from about 200,000 to well over 1.4 million across the globe. With businesses essentially doing trial runs of work-from-home models, it created the perfect opportunity for cybercriminals to take advantage of unsecured remote desktops and poor password management practices.
How brute force attacks work
Brute force password attacks work by using software to “guess” credentials. Through trial and error, brute force attacks will input common dictionary phrases, commonly hacked passwords, or specific letter and number combinations until they get a match.
How automated tools help with brute force attacks
With sophisticated automated tools, businesses are taking on brute force attacks and other malware threats. As threat detection becomes more sophisticated, it’s depending more on AI technology to detect, prevent and remove threats before they cause damage.
Bot protection can help monitor web traffic for suspicious activity and lock out users when an attack is suspected. Bots can also predict suspicious activity such as multiple login attempts and alert the victim before an attack is completed.
Brute force attacks are simple but often effective, especially if the individual or business doesn't have the right protections in place.
Get Protected Now
Types of brute force attacks
Simple Brute Force Attacks
Simple brute force attacks use trial and error to try different combinations to guess login credentials. The attacker will use a high-powered computer to try every letter, number and symbol combination they can. While this may seem inefficient, some computers can process trillions of combinations at once.
Dictionary attacks leverage simple dictionary words or phrases to crack user credentials. It’s advisable to use no words or phrases you can find in a dictionary, because a dictionary brute force attack may pick up on them and crack the password.
Hybrid Brute Force Attacks
Using external logic, the software guesses which passwords will have the most success and then uses brute force to apply every combination.
Reverse Brute Force Attacks
This method depends on a few selected common passwords. Lists of common passwords are easy enough to find online. Here's a list of 10,000. A reverse brute force attack uses a list like this to input these common passwords into multiple accounts hoping for a match.
Credential stuffing is one of the most effective brute force methods. Lists with previously breached passwords can be bought on the dark web, and cybercriminals use them to “stuff” credentials in dozens of websites to see if there’s a match. Often, users don’t change passwords on all of their accounts even if they’ve been previously hacked.
Password security best practices for system administrators
Protecting passwords is as much the duty of users as it is the administrators. Even the best passwords can be easily breached when the right protections and precautions aren’t in place. Here are some security best practices for sysadmins.
Encourage Better Habits
Sysadmins can help leadership by encouraging better password practices for employees. This means never reusing passwords and using strong combinations for passwords. This includes no dictionary phrases or words, using an alphanumeric combination that includes symbols, upper and lowercase and at least 14 characters. Using an Enterprise Password Management (EPM) Platform can make this process much easier at a company-wide scale.
Remove Inactive Accounts
When an employee exits the company, it’s important to remove their account entirely to avoid unauthorized logins. Even if an employee’s account is deactivated, it still acts as a potential point of entry for cybercriminals. Inactive accounts should be terminated as soon as possible and their credentials wiped from the system.
Require 2FA/MFA on All Accounts
Two-factor or multi-factor authentication can be the saving grace in a brute force attack. When a password is used from a strange or undocumented device, it triggers an extra authentication step. This can involve a text or email verification link, a biometric entry or some other method. This adds an extra layer of protection to every account.
2FA and MFA tools are often integrated into password management platforms and other cybersecurity tools. Sysadmins should consider requiring MFA or 2FA for every account on the system to add an important layer of security.
Limit Login Attempts
Brute force attacks depend on multiple login attempts. Brute force hacking is limited when it can only make a limited number of attempts. Three login attempts is a good starting point. It’s just enough to leave room for someone who’s genuinely mistaken their login information and just low enough to lock out potential threats before they guess the password. After three failed attempts, lock the account entirely and require a sysadmin to restore access after verifying the user’s identity.
You can also slow down login attempts, requiring a countdown between failed logins. Combined with a login limit, this method can stop a brute force attack after three tries and limits how quickly the cybercriminal can input information. This helps signal the administrator of suspicious activity as well.
Password security tips for users
For everyday users, password security is just as important. You may not be able to control backend security, but you can use these simple tips to create stronger passwords:
Don’t reuse passwords: Never reuse a password on multiple accounts. Every account should have a unique, secure password.
Don’t use common words or phrases: Common phrases and words are easily guessed by cybercriminals. Use only unique letter combinations and avoid spelling out words.
Use a password generator: A password generator creates a random password based on your parameters. You can control the number of characters, letter, symbol and number combinations and more.
Don’t use personal information: Most of us use personal information to make our passwords easier to remember, but this is a quick way to get breached. Never use birthdays, addresses or other personal or company information in passwords.
Use a password manager: Perhaps the best thing to do is to use a password manager. These versatile, secure cybersecurity tools allow you to create, store, and manage passwords across multiple accounts. Your passwords will stay organized and you won’t have to use personal information to remember them. Password managers like Keeper typically come with an autofill feature so you never have to manually type a password again.