It's no surprise that an easy-to-remember password is also the easiest for a hacker to guess; however, long, complex passwords that use a combination of numbers, upper and lower case letters and symbols can take time to crack.
Of course, most hackers don’t have the time, patience or motivation to waste trying to guess their way into one network, especially when they have machine learning technologies that can generate billions of combinations in seconds to accelerate their thievery. Passwords are typically the first line of defense to vast amounts of personal information and/or important data, meaning, a “brute-force attack” represents a pervasive threat to your organization's cyber security.
What is a brute-force attack, and what can you do to guard against it?
What is a brute-force attack?
A brute-force attack is a trial-and-error method that a hacker uses to attempt to figure out their target’s password. Cyber criminals either create their own algorithmic formulas or can purchase a software program designed to produce password and username combinations to use against targeted networks. When the algorithm hits the right combination and produces a password that works, the hacker now has access to sensitive data and network systems that are used for identity theft, future attacks or profit on the dark web. Once inside a network, the cyber criminal can move around freely, often undetected for a long time because legitimate credentials were used.
Brute-force attack tools
There are a variety of tools that can help a bad actor carry out an attack. Many of these tools are free and can compromise different operating systems.
Some of the more popular brute-force attack tools used to crack passwords include:
- Aircrack-ng, to crack wireless networks
- John the Ripper, an open source tool that runs on 15 different platforms
- Rainbow Crack, uses rainbow tables
- L0phtCrack and Ophcrack, to crack Windows passwords
- Hashcat, to crack even the most complex passwords
- DaveGrohl, an open-source tool for cracking Mac OS
- Ncrack and THC Hydra, high-speed tools for cracking network authentication
How common are brute-force attacks?
According to the 2021 Data Breach Investigations Report, 89% of web application hacking attempts come in the form of credential abuse through stolen credentials or brute-force attacks.
Studies show that brute-force attacks have seen a dramatic rise since the beginning of the pandemic, with attacks more than quadrupling. Brute-force attacks often target remote workers who no longer have the security layers offered in the workplace.
What is the motivation behind brute-force attacks
The motivations behind brute-force attacks vary. They range from stealing information to distributing malware to disrupting services. In other cases, threat actors are looking to damage an organization’s reputation. But regardless of the motive, these bad actors are seeking to do damage in one way or another, and they are often highly successful.
Types of brute-force attacks
The different types of brute-force attacks include:
- Simple attacks that use as many passwords as possible to gain access.
- Dictionary attacks that rely on a set list of known passwords.
- Reverse attacks that use one password across hundreds of sites until it works.
- Credential stuffing attacks that use lists of stolen account credentials to gain unauthorized access to another system.
- Rainbow table attacks that use a rainbow table to crack password hashes stored in a database.
How to prevent brute-force attacks
Security systems should be designed to detect and alert on multiple incorrect login attempts or if login attempts are coming from different, unfamiliar IP addresses. Users should be required to change their passwords regularly, with a mix of characters and symbols, and should complete mandatory training about the importance of good password hygiene. The use of a long, complicated password that is encrypted when stored and multi-factor authentication further mitigate the risk of credential theft.
As long as businesses rely on passwords, hackers will try to manipulate them and use them to gain access. The more you know about how passwords are used in attacks, the better you can strengthen your entire credential system.
Now that you have an answer to the question, “what is a brute-force attack,” discover how Verizon's managed security services can help you keep your organization safe.
The author of this content is a paid contributor for Verizon