What is Brute Force Attack?
A brute force attack is a trial-and-error method for obtaining information such as a user password or personal identification number (PIN). In a brute force attack, automated software generates a large number of consecutive guesses as to the value of the desired data.
Brute force attacks, an older technique dating back to the earliest days of computers, may be used by criminals to crack encrypted data or by security analysts to test an organization’s network security.
Key Takeaways
- A brute force attack tries every possible combination of letters, numbers, and symbols until the right password or key is found.
- Brute force attacks use automated tools to generate and try thousands or millions of guesses very quickly.
- The only way to completely stop brute force attacks is to use long, complex, and unique passwords that would take centuries to crack.
- Encryption, account lockout policies, IP blocking, and captcha can help slow down brute force attacks and mitigate damage.
- Organizations should conduct ethical brute force testing on their systems to identify weak points before criminals exploit them.
How Brute Force Attacks Work
In a brute force attack, the attacker tries every possible combination of characters until the password or key is found. They take an automatic approach using software tools to generate and try thousands or millions of passwords guesses at incredible speeds.
The logic is simple—with enough guesses and time, the correct password will eventually be discovered. Brute-force attacks get their name from this raw, brute-force approach of trying every possibility rather than intelligently narrowing down the password space.
For example, to brute-force crack a 4-digit PIN, the software would start with 0000, then try 0001, 0002, 0003, and so on until all 10,000 possible 4-digit PINs have been tried. In the worst-case scenario, it may take up to 10,000 guesses to find the correct PIN.
Brute force attacks can be used on any data that has a finite set of possibilities, including:
- Passwords and passphrases
- PIN numbers
- Encryption keys
- Session cookies
- Hashed passwords
The effectiveness of a brute force attack depends on two factors:
- Password Complexity: Simple or short passwords are easier to crack than longer, complex passwords with a variety of character types.
- Compute Power: The speed at which an attacker can make password guesses is limited only by their hardware. Using many fast GPUs can make billions of guesses per second.
Generally, brute-force attacks are defeated by using sufficiently long and complex passwords. For example, an 8-character password using upper- and lowercase letters, numbers, and symbols would take hundreds of years to brute-force on modern hardware. Online services also employ other safeguards like captchas, account lockouts, and encryption to block brute-force attacks.
Brute Force Attack Tools
There are many password-cracking tools available that can be used to automate brute force attacks:
- Hashcat: Popular password recovery tool that can perform brute force attacks at very high speeds using GPU acceleration. Supports many hashing algorithms.
- John the Ripper: Open-source password cracker that pioneered many brute forces attack techniques. Can detect weak password patterns.
- Hydra: Command line tool specialized for attacking logins and passwords on network services like SSH, FTP, SNMP, and more.
- medusa: Parallel password cracker designed for high-speed brute forcing of remote login services. Supports many protocols.
- ncrack: Part of the Nmap security scanner toolset. Brute forces network device passwords using popular protocols.
- DaveGrohl: Tool focused specifically on brute-forcing passwords for encrypted PDF documents.
- oclHashcat: Brute force that uses GPUs to achieve extremely high speeds. Designed for advanced users.
- Brutus AET2: Password cracker for Windows that can brute force local passwords as well as remote passwords over protocols.
- THC Hydra: Command line tool that provides module-based brute force attacks against hundreds of protocols and services.
- Crunch: Generates custom wordlists for brute force attacks based on user-defined patterns. It helps optimize brute forcing.
These tools allow ethical security researchers and criminals alike to leverage computers and networks to brute-force credentials rapidly. Using GPU acceleration and distributed attacks across many systems, trillions of guesses can now be achieved.
Different Types of Brute Force Attacks
There are several different types and techniques when it comes to brute force attacks:
Credential Stuffing
This is the simplest brute force attack, in which lists of stolen username and password pairs are tried against various websites. Even ancient credential lists can be effective if users reuse passwords across sites.
Password Guessing
Trying common passwords, keyboard patterns, and personal information to guess passwords. Wordlists tailored to geographic regions or languages can boost success rates.
Incremental Brute Force
It starts with an empty password and tries incremental additions like a, aa, aaa, aaaa to build longer passwords methodically.
Dictionary Attack
Takes a wordlist of common passwords and tries them one by one. Wordlists can contain millions of dictionary words, phrases, and mutations to build good coverage.
Hybrid Brute Force
Uses a mix of incremental, dictionary, and predictive password patterns during the brute force attack for wider coverage.
Rainbow Tables
It uses precomputed hash tables to reverse cryptographic hashes quickly. Rainbow tables trade disk space (terabytes) to find hashed passwords much faster.
Birthday Attack
Exploits hash collisions where two inputs generate the same hash value. It is good for finding weaknesses in some hashing algorithms.
Rule-based Brute Force
It applies common syntax rules seen in real passwords to mutate the base wordlist, such as suffixing numbers or special characters to dictionary words.
The most successful brute force attacks will combine techniques like dictionaries, rules, and mutations to build sophisticated password-guessing algorithms.
Brute Force Attack Examples
Here are some real-world examples of brute force attacks:
- In 2019, Capital One suffered a data breach. A hacker brute-forced an application credential to gain access, stealing over 100 million customer records.
- Researchers have shown that brain wallet passphrases for cryptocurrency wallets can be cracked in minutes with standard desktop hardware. Simple passphrases are risky.
- In 2013, Hackers used brute force attacks against WordPress sites on HostGator and CloudFlare. More than 60 Million downloads, WordPress is a popular tool used to produce and run websites.
- Brute-forcing Gmail accounts using stolen credentials lists is common. Google blocks brute-force attempts by using captchas and account lockouts.
- In 1988, the Morris Worm was propagated by brute-forcing weak passwords on UNIX systems. It infected over 10% of computers connected to the early Internet.
- In 2020, A hacker allegedly behind a spate of Twitter account hacks gained access to a Twitter “admin” tool on the company’s network that allowed them to hijack high-profile Twitter accounts to spread a cryptocurrency scam, according to a person with direct knowledge of the incident.
These examples highlight how common brute-force attacks are still across many industries and technologies. Wherever there are passwords or keys, there are opportunities for brute-force attacks.
How to Prevent Brute Force Attack?
Defending against brute force attacks involves implementing layers of protection:
Strong Passwords
A good first line of defense is to use randomly generated long, complex passwords of 12+ characters. Avoid common words, dates, and patterns.
Password Managers
Tools like LastPass and 1Password provide strong random passwords for all sites and apps. This prevents password reuse across sites.
2 Factor Authentication
Adding a second layer like biometrics, SMS codes, or authenticator apps protects against credential stuffing attacks.
Account Lockouts
Lock user accounts for some time after a certain number of failed login attempts to slow brute forcing.
IP Blocking
Identify and block source IP addresses that are repeatedly failing login attempts to mitigate attacks.
Encryption Keys
Using sufficiently strong encryption keys of 2048+ bits prevents brute forcing of encrypted data.
CAPTCHAs
Challenge-response tests between login attempts help block automated bots and scripted brute-force attacks.
Monitoring
Watch for spikes in failed login attempts or outbound credential stuffing traffic as signals of a brute force attack.
Penetration Testing
Ethically attempt brute force attacks against your systems to find and fix weaknesses before attackers do.
A defense-in-depth approach across layers is key to preventing the success of brute-force attacks. This forces attackers to overcome multiple safeguards in order to find passwords and access accounts or data.
Brute Force Attacks on Hashed Passwords
One common target for brute force attacks is hashed passwords. Password hashes are encrypted strings that represent the actual passwords without storing them in plain text.
Here is how a brute force attack works on a hashed password:
- An attacker gets access to a database of hashed passwords, such as acquiring a website’s user database.
- The hashes are input into a password-cracking tool like Hashcat or John the Ripper.
- The software tries decrypting the hashes using a brute-force attack, making trillions of guesses per second using different passwords and types of encryption.
- Once the correct password that generates the same hash value is found, the password will be cracked.
- The attacker can now access accounts by using the revealed password credentials.
Defending against brute forcing of password hashes requires using secure hashing algorithms like bcrypt, Argon2, or PBKDF2. These hashes are designed to be slow and resource-intensive to compute, significantly slowing down brute-force attacks.
Salting password hashes before hashing also greatly improves resistance to attacks using rainbow tables of precomputed hashes.
Finally, organizations must store password hashes securely, enforcing principles of least privilege and access control to prevent attackers from capturing the hashed passwords in the first place.
Brute Force Attack Tools for Ethical Security Testing
Penetration testers and ethical hackers use some of the same brute-forcing tools as criminals to evaluate the security of systems and find weaknesses before they can be exploited.
Some popular ethical hacking tools with brute force capabilities include:
- Metasploit: Pen testing framework that has modules for brute forcing many protocols, including SMB, SSH, FTP, and more.
- Burp Suite: Intercepting web proxy that can perform customized brute force attacks for web apps.
- Nmap: Network scanner that includes brute force password cracking for devices via scripts or Ncrack tool.
- THC Hydra: Command line tool with extensive protocol support for remote password cracking.
- hashcat: Password recovery tool optimized for speeding up brute force attacks.
- John the Ripper: Longtime password cracker useful for pen testing operating systems and password policies.
- Aircrack-ng: Specialized wireless pen testing tool that can brute force WiFi passwords.
These tools allow white hat hackers to identify accounts with weak credentials before cybercriminals do. Ethical brute forcing is conducted on systems with explicit permission from owners.
By running controlled brute force attacks, organizations can better understand real-world password-cracking capabilities. The results can motivate improving password policies and upgrading insecure protocols susceptible to brute forcing attacks.
The Future of Brute Force Attacks and Defense
Looking ahead, a few trends will shape the future landscape of brute force attacks:
- Faster hardware: GPUs and custom ASICs will provide massive increases in computational power to run speedier brute-force attacks. Cloud computing can also offer vast resources.
- New algorithms: It will be important to Develop new hash algorithms that are resistant to emerging cryptographic attacks, including quantum brute forcing.
- Better credential hygiene: User education, password managers, and stronger authentication will help reduce vulnerable credentials available to brute force.
- Improved monitoring: Leveraging big data analytics to spot brute force activity quickly will allow faster responses to contain attacks.
- Password-less authentication: Innovations like biometrics and hardware tokens can eliminate passwords, the root cause of most brute-force attacks.
Organizations must continue to make brute-force attacks as difficult as realistically possible through defense-in-depth. At the same time, improving mechanisms to detect credential compromise and anomalies from brute-force attacks is key.
While brute force attacks have existed for decades, they will continue to evolve and remain a threat into the future that must be guarded against.
Final Thoughts
A brute force attack is a method of gaining unauthorized access to a system by systematically trying every possible password or passcode until the correct one is found. Attackers use automated tools to make millions of guesses at incredible speeds.
Brute force attacks can be launched against many authentication mechanisms, including passwords, PINs, and encryption keys. The only way to fully stop brute force attacks is to use sufficiently long and complex passwords.
Organizations should also employ other defenses like multi-factor authentication, account lockouts, IP blocking, and monitoring systems to detect brute force attempts. Although brute force attacks are an old technique, they remain a threat due to the presence of weak credentials.
Frequently Asked Questions (FAQ) About Brute Force Attacks
Here are some common questions users and organizations may have about brute-force attacks:
How do attackers get access to password hashes and credentials to brute force?
Credentials are obtained through data breaches, phishing attacks, malware, social engineering, insider access, and capturing hashed passwords from insecure transmission or storage.
Can brute force attacks break two-factor authentication (2FA)?
In general, no: Two-Factor Authentication (2FA) provides a second layer of protection on top of passwords that cannot be brutely forced. However, some 2FA implementations do allow brute forcing of backup codes or the 2FA secrets themselves if access is gained to them.
Are longer passwords better at stopping brute force?
Yes, significantly longer, complex passwords of 12+ characters are exponentially harder to brute force with current technology. Length improves security more than complexity.
Do Facebook, Gmail, and other big sites have issues with brute-force attacks?
They are constantly targeted, but their lockout policies and other protections have proven effective at mitigating large-scale brute-force attacks on user accounts.
Can captchas stop all brute force attacks?
CAPTCHAs help block unsophisticated scripted brute force attacks. However, human solvers can be used to defeat them, and machine learning techniques can automatically solve some CAPTCHAs.
Is a brute force attack the same as password spraying?
No. Password spraying tries a single commonly used password across many different accounts while brute-forcing attempts many different passwords against a single account.
Are passwords other than text susceptible to brute force attacks?
Yes, biometric passwords like fingerprints or facial recognition can also be brute forced by trying many samples. Physical keys with chip encryption are also vulnerable if the encryption is weak.
How can I tell if someone is brutely forcing my account?
Online accounts will often send notifications about failed login attempts or lock logins after several failures. Monitoring systems can also alert people to repeated failed attempts from a single source.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
