What is a brute-force
attack?  Brute-force
attack definition
and prevention

Author: Sue Poremba

It's no surprise that an easy-to-remember password is also the easiest for a hacker to guess. A skilled hacker can figure out a six-character password almost instantly, but a 12-character password with a combination of upper and lowercase letters and symbols can take years and years to crack.

Of course, most hackers don’t have the time, patience or motivation to spend years trying to break into one network, so they rely on machine learning technologies to generate billions of combinations in seconds to accelerate their thievery. Because passwords are the key to vast amounts of data, a so-called “brute-force attack” represents a pervasive threat to your organization's cyber security. But what is a brute-force attack, and what can you do to guard against them?

What is a brute-force attack?

With brute-force attacks, cyber criminals either create their own algorithmic formulas or purchase a software program designed to produce passwords and username combinations across targeted networks. When the algorithm hits the right combination and produces a password that works, the hacker now has access to sensitive data that is used for identity theft, future attacks or profit on the dark web. Once inside a network, the cyber criminal can move around freely, often undetected for a very long time because legitimate credentials were used.

There are different types of brute-force attacks, including:

  • Simple attacks that use as many passwords as possible to gain access.
  • Dictionary attacks that rely on a set list of known passwords.
  • Reverse attacks that use one password across hundreds of sites until it works.

How common are brute-force attacks?

The brute-force attack, in combination with stolen passwords, was used in more than 80% of all hacking-related data breaches, according to the Verizon 2020 Data Breach Investigations Report. In the words of the report, "Criminals are clearly in love with credentials, and why not since they make their jobs much easier?"

Other reports found that since the beginning of the pandemic in early 2020, brute-force attacks have more than quadrupled, often targeting remote workers who no longer have the security layers offered in the workplace.

However, brute-force attacks account for a much smaller percentage of the total number of data breaches—fewer than 20% for small businesses and 10% for enterprise—when all types of attack styles are looked at. Because of this, security teams focus more attention on other attack vectors that use vulnerabilities and social engineering to download malware payloads.  According to the 2021 Data Breach Investigations Report, 89% of web application hacking attempts come in the form of credential abuse through stolen credentials or brute-force attacks.

Brute-force attack prevention

The best prevention for a brute-force attack is a long, complicated password that is encrypted when stored. Security systems should be designed to detect and alert on multiple incorrect login attempts or if login attempts are coming from different, unfamiliar IP addresses. Users should be required to change their passwords regularly, with a mix of characters, and should complete mandatory training about the importance of good password hygiene. The use multi-factor authentication as much as possible further mitigate the risk of credential theft.

As long as businesses rely on passwords, hackers will try to manipulate them and use them to gain access. The more you know about how passwords are used in attacks, the better you can strengthen your entire credential system.

Discover how Verizon's managed security services can help keep your organization safe.