Cyber Security Solutions, Compliance, and Consulting Services - IT Security

We offer It security management, data, network, & Information security services for protecting information & mitigating security risks to your organization.

Everything You Need to Know About Brute Force Attacks

cyber security

A “Brute Force Attack” is when a hacker attacks someone’s data with everything they’ve got and gets into their account. They don’t just break in, they get into the account using their own password.

Guessing a password is quite a long shot unless you really know the person and might know their patterns. This makes randomly guessing a password more of a one in a million type of thing. But hackers have created algorithms and codes that guess millions of passwords per second until they find the right one and gain access to people’s accounts. This is a brute force attack.

Just moving everything offline isn’t going to help, brute force attacks can also be done offline!

In an online attack, a hacker uses the server and opens the website they’re trying to hack the account on. Then they run the algorithm and let it keep trying passwords until it’s cracked. Some websites try to deter brute force attackers by adding rate-limiting on the log-in pages. This only lets people try to log in a certain amount of times, e.g 5 times, and then locks for a specific time frame. Similar to the “allow 10 tries” on your passcode settings on your phone! Even with this security mechanism in place, hackers can easily make their way through and get into any accounts they want.

Offline attacks are a little more tricky, but they tend to be more effective, which is why many hackers prefer them.

One of the most common offline brute force attacks is called Hashing. In this attack, the hackers gain access to the passwords in their encrypted “hash” forms (the encrypted way the websites store passwords). They then take those hashes and compare them to sets of decrypted hashes they already have offline, and easily crack the code fairly quickly.

Another way they can get into an account is by using an attack called the dictionary attack. This is when hackers use information about you to guess your password. People tend to use numbers that match birthdates or telephone numbers mixed in with their names. They take the users data and run it through their system, which tries several different combinations of the data until they’ve cracked the code. 

How to stay safe from brute force attacks

Users

Use strong, unique passwords: Most websites have a “weak to strong” meter where you type your password in when you’re first deciding on one. Use it as a guide to determine the strength of your password. The weaker it is, the easier it is to crack. Ideally, your password should be long, shouldn’t be based on your name and birth date, and should include numbers and uppercase letters. This would ensure that the hacker would have to know your exact password to get in.

Secure remote desktop connections: If you use a remote desktop system, make sure that your passwords on that are very strong too and that you disconnect from it whenever you’re not using it. As these connections are extremely vulnerable, a hacker can easily get in and have complete access to your entire computer.

Always use two-factor authentication: When you have two-factor authentication turned on, even if the hacker figures out your password, they can’t get in until they also have the “one-time password”, commonly known as the OTP, as well. 


Website Operators

Make sure you’re using Rare-limiting: Rare-limiting makes sure that the users on your website will have an added layer of protection if someone’s trying to hack them. Setting the limit as low as 5 tries make sure that the hacker will have to spend a lot of time trying to get in, and that they’d need access to the actual email address attached to the account too. However, it’s important that there’s a quick way for the actual owner to verify themselves and access their accounts immediately, so they can change passwords in time and prevent a full attack.

Make use of the secure shell: This will make sure that even if the hacker does gain access to the account, the real owner can securely get in and lock them out.

Use updates algorithms to store passwords: This will ensure that the hacker can’t create a table that helps them in a dictionary attack. If your algorithms keep changing, they won’t find a pattern to go off of.