A brute force attack in cyber security is a method of trying to guess passwords, login credentials, encryption keys, hidden web pages and content to gain unauthorised access to data, systems or networks. It is a trial-and-error approach that seeks to exhaust all possible combinations to arrive at the correct password. It is a forceful attempt at arriving at the correct result, which may utilise millions of combinations. Hijacking an account, stealing data and redirecting traffic from a website can be classified as a brute force attack.
Over the years, over 8.5 billion usernames and passwords have been compromised. These stolen credentials are sold among bad actors on the dark web and used for everything from spam to account takeovers.
Credential stuffing becomes an issue especially in the gaming, media and retail industries because users tend to reuse logins and passwords. Therefore, if a scammer gains access to someone’s account at a utility company, they are more likely to be able to access that user’s online bank account with the same credentials.
• Access to personal data
• Access to your system for malicious activity
• Ability to edit your website and ruin your reputation
• Ability to spread malware
• Profit from ads or activity data
Simple brute force attack
Cyber criminals might use tools or scripts that automate the task of making a series of passwords until you get the correct answer. Depending on the ability of the scammer, they may be able to make hundreds or thousands of guesses or more per second. This approach easily cracks simple passwords that lack differences in letter cases and symbols.
This may include using words from a dictionary and number combinations, but it also uses a list of leaked credentials, known as credential recycling. This approach can be further developed to look for variations of words that use different lower or uppercase letters. The dictionary attack is more specific and relies on certain phrases being more commonly utilized as passwords but is limited by the logic provided for example, it will not attempt unlikely or random combinations.
These attacks are known (stolen or leaked) combinations of usernames and passwords from one website or many other websites. In short, it is about cybercriminals sometimes reusing their usernames and passwords.
Reverse brute force attack
Reverse brute force attacks typically start with attackers knowing usernames and trying to guess passwords.
Brute force attacks are very efficient with a short or frequently used password when it comes to password guessing while a longer password is hard to guess. The longer a password is, the greater the resources and time required to guess it
Use multi-factor authentication
Using multi-factor authentication makes brute force attacks less likely to succeed. For example, using both passwords and a fingerprint.
Implement IT hygiene measures
Gain visibility into the use of credentials across the environment and require passwords to be changed regularly. Installing software like Captcha can effectively stop brute force attacks in progress.
Set up policies that reject weak passwords
Set up a policy for setting up passwords. Always remind your employees to use a combination of upper- and lowercase letters, as well as special characters, to make it difficult to guess their meaning.