What is a brute-force
attack? Brute-force
attack definition and
prevention

It's no surprise that an easy-to-remember password is also the easiest for a hacker to guess; however, long, complex passwords that use a combination of numbers, upper and lower case letters and symbols can take time to crack.

Of course, most hackers don’t have the time, patience or motivation to waste trying to guess their way into one network, especially when they have machine learning technologies that can generate billions of combinations in seconds to accelerate their thievery. Passwords are typically the first line of defense to vast amounts of personal information and/or important data, meaning, a “brute-force attack” represents a pervasive threat to your organization's cyber security.

What is a brute-force attack, and what can you do to guard against it?

A brute-force attack is a trial-and-error method that a hacker uses to attempt to figure out their target’s password. Cyber criminals either create their own algorithmic formulas or can purchase a software program designed to produce password and username combinations to use against targeted networks. When the algorithm hits the right combination and produces a password that works, the hacker now has access to sensitive data and network systems that are used for identity theft, future attacks or profit on the dark web. Once inside a network, the cyber criminal can move around freely, often undetected for a long time because legitimate credentials were used.

There are a variety of tools that can help a bad actor carry out an attack. Many of these tools are free and can compromise different operating systems.

Some of the more popular brute-force attack tools used to crack passwords include:

• Aircrack-ng, to crack wireless networks
• John the Ripper, an open source tool that runs on 15 different platforms
• Rainbow Crack, uses rainbow tables
• L0phtCrack and Ophcrack, to crack Windows passwords
• Hashcat, to crack even the most complex passwords
• DaveGrohl, an open-source tool for cracking Mac OS
• Ncrack and THC Hydra, high-speed tools for cracking network authentication

According to the 2021 Data Breach Investigations Report, 89% of web application hacking attempts come in the form of credential abuse through stolen credentials or brute-force attacks.

Studies show that brute-force attacks have seen a dramatic rise since the beginning of the pandemic, with attacks more than quadrupling. Brute-force attacks often target remote workers who no longer have the security layers offered in the workplace. 

The motivations behind brute-force attacks vary. They range from stealing information to distributing malware to disrupting services. In other cases, threat actors are looking to damage an organization’s reputation. But regardless of the motive, these bad actors are seeking to do damage in one way or another, and they are often highly successful.

The different types of brute-force attacks include:

• Simple attacks that use as many passwords as possible to gain access.
• Dictionary attacks that rely on a set list of known passwords.
• Reverse attacks that use one password across hundreds of sites until it works.
• Credential stuffing attacks that use lists of stolen account credentials to gain unauthorized access to another system.
• Rainbow table attacks that use a rainbow table to crack password hashes stored in a database.