A brute force attack is an attempt to guess a username or password through trial-and-error. Brute force software tries to log in to a service by using thousands, if not millions, of character combinations. Some brute force attacks are more complex. They use old hacked credentials as a base for the brute force attempt.
If you want to protect yourself from this type of attack, here’s what you have to do:
- Use longer and more complex passwords.
- Set up multi-factor authentication.
- Subscribe to a password manager. We recommend 1Password. It’s secure and affordable.
If you want to find out more about how brute force attacks work, and how to protect yourself, read our full article below.
Have you ever wondered how hackers get their hands on the passwords of unsuspecting victims? It’s not always by exploiting the security vulnerabilities of a big platform. Sometimes, it’s as simple as trying out combinations of random letters and numbers. That’s what a brute force attack does.
A brute force attack is a trial-and-error attempt at guessing a user’s login credentials, meaning their username and password. These attempts are based on an algorithm that uses either a dictionary or a list of possible credentials. The algorithm will try different variations until it finds a successful login.
That’s the basics of it — but modern brute force attacks are much more complex. How do they work, exactly? And how can you protect yourself against brute force attacks?
How Do Brute Force Attacks Work?
In its simplest form, a brute force attempt will try to guess a username and password combination. Here’s how hackers generally do this:
- Through credentials generation, they’ll instruct brute force attack tools to generate credential combinations between set parameters, like a password length of more than six symbols.
- The software will generate a (very) long list of combinations. We’re talking trillions of options.
- The brute force attack tools will attempt to log in to a specific service with each individual credential combination. This entire process can take days, weeks, or months, even with a powerful computer.
If a credential combination ends up unlocking an account, the brute force attack was successful and the hacker has access to that account.
Different Types of Brute Force Attempts
The explanation above describes a hypothetical brute force attempt. In real life, however, those simple brute force attacks usually aren’t enough to hack an account. Most often, a successful brute force attack needs a combination of different types of attempts. We’ve listed those below.
1. Basic brute force attacks
Basic attempts to hack people’s accounts work with lists of generated credentials. Software like Hydra generates credential combinations, which can then be tried out as usernames and passwords on different platforms. However, this type of brute force attempt is not extremely effective — and it’s easy to see why.
The total number of combinations of letters, numbers, and symbols in a six-character string runs into the trillions. Add to that case sensitivity and the fact that there are many passwords with more than six characters in them, and you’ll see the problem. Even for a computer, that’s a lot of random combinations to try out.
In short, these basic brute force attacks won’t get hackers very far.
2. Hybrid brute force attacks
Hybrid brute force attacks add logical rules to credential generation. Hackers might make a list of common usernames and only try to generate credentials for the password, for example.
Let’s say that a hacker wants to breach the admin area for a small website. Instead of generating symbols for the username, they’ll create a list of options like “admin,” “office,” and the name of the site owner.
The software will only attempt to fill the username field with options from that list. For the password field, it’ll use a basic brute force attack to try as many combinations as it takes to get a correct password.
3. Reverse brute force attack
A reverse brute force attack will use a common password, like “12345” or “password,” and then generate usernames until they find one that fits with that password. Of course, hackers can also combine these reverse brute force attacks with a hybrid approach to be more efficient.
Reverse brute force attacks are usually performed on applications or sites that a hacker already has other details about.
4. Dictionary attacks
Dictionary attacks are like an upgraded version of the basic attack. Instead of combining all characters, dictionary attacks rotate through strings and phrases that are commonly used in credentials. All of these commonly used patterns are collected in a dictionary, which is then used for login attempts. Examples would be names for user fields and number chains for password fields.
Dictionary brute force attempts have a higher success rate, but they’re harder to set up. The more information hackers can add to the dictionary, the better (and more dangerous) it gets.
5. Credentials recycling
One of the most effective brute force attempt types is credentials recycling. This happens when hackers start their brute force attempt with a database of stolen credentials they got from somewhere else, often the dark web.
If a hacker buys a bot off Genesis Market, for example, they might find that some credentials don’t work anymore. They can then use brute force to try out new passwords for the usernames they already know.
6. Rainbow table brute force attack
Rainbow table brute force attacks are a bit more complicated than your average brute force attack. To understand them, we need a bit more background.
Websites can store our passwords in three ways:
- Plain text is pretty dangerous, since any breach leads to a direct loss of credentials.
- Encrypted text is better, but not perfect, since any encrypted piece of text can also be decrypted. The process goes both ways.
- Hashes only work in one direction: you can hash a string of plain text, but you can’t turn a hash back into plain text. This means that, theoretically, hashes are an infallible method of storing credentials.
Unfortunately, in practice, hashes can still be decrypted — and that’s what a rainbow table brute force attack focuses on. Most hashing algorithms (the programs that turn plain text passwords into a hash) are optimized to run really fast, so they can calculate as much input as possible. Using this design flaw, hackers can still try all passwords in the world as a hash, until they find the right one.
To do this efficiently, hackers use a rainbow table. These are lists of precomputed hashes representing often used passwords, like “password,” “1234,” or “qwerty.” If you have a weak password like that, you’re much more likely to fall victim to a brute force attack, even when your passwords are hashed. However, since they require a lot more knowledge in cryptography, they’re not as common.
What are the Dangers of Brute Force?
Brute force attacks endanger the privacy and security of people all across the globe. They’re more common than you might expect. In 2021, 23% of the companies tracked by Verizon reported brute force attacks.
When hackers successfully perform a brute force attempt, this can cause a lot of different problems. For individuals, the consequences can include:
- Spam content posted on their social media profiles.
- Loss of access to the hacked account.
- Breach of data and private conversations.
- Spread of malicious software or scams through a person’s contacts list.
When brute force attacks target the accounts of developers, the consequences are even more severe. You get all the negative effects in the list above — multiplied by the number of users on that developer’s application or site.
How to Prevent Brute Force Attacks
If you’re a privacy-minded individual that wants to be protected from brute force attempts, there are several things you can do:
- Create longer passwords. The lengthier a password is, the harder it is to crack through brute force. Each brute force attempt based on credential generation needs a length for the passwords they generate. If your own password is longer than, say, 15 or 20 characters, it’s unlikely that an attack will even target you.
- Create more complex passwords. If you feature different kinds of characters in your passwords, including letters, numbers, and symbols, it’ll be harder for hackers to guess it, even when they use algorithms.
- Don’t use one password for more than one service. This way, if hackers target one of your accounts, cybercriminals can’t use that same information to gain access to other accounts.
- Enable multi-factor authentication. This is an extra layer of protection on your account that requires a second verification before you can log in – for example by entering a code you receive through text. With multi-factor authentication, even if a hacker guesses your password, they won’t instantly gain access to your account.
- Use a password manager. If you don’t want to bother creating long, complex passwords for all of your accounts, a password manager will take care of it. This will allow you to use better passwords without having to remember all of them. We personally recommend 1Password, as it’s a secure service that’s very user-friendly.
Improve your online security
Even with the best passwords, your credentials are still vulnerable to breaches. Things like phishing campaigns and man-in-the-middle attacks are always possible. If your credentials were hacked by other means, they can even be used for credential stuffing brute force attempts. That’s why it’s important to improve your overall online security.
If you want to stay protected online, you should be wary of clicking unknown links, be skeptical of outreach from unknown individuals, and stay away from shady apps or sites.
Beyond this, we also recommend using special security apps. The ones that will ensure higher levels of online security are a good VPN and a reliable antivirus. These will secure your connection and protect you from unwanted malware and viruses.
What to Do When You’re Targeted by a Brute Force Attack
It can hard to tell when you’re the target of a brute force attack while it’s happening. A strong indicator is if you receive multiple emails from the platform that a login attempt took place when you didn’t try to log in yourself. Apart from that, however, you likely won’t even notice it until your account has already been hacked.
Here’s what you can do in case you’re at the receiving end of a brute force attack:
- Contact the platform that your account is registered on. If you’re lucky, a representative will help you freeze your account. If the account has already been compromised and you can’t recuperate it, they might remove the account so no one can impersonate you.
- Change your password. If you still have access to your account, make sure to change your password to something that’s unique and secure. This will make it less likely that the brute force attack successfully guesses your credentials.
- Set up multi-factor authentication if you haven’t already. This will ensure that, even if the brute force attempt is successful, it won’t give the attackers access to your account.
Since brute force attacks can be used to target just about anyone, there is no way to make sure you won’t be a target. However, with regular password changes and the tips above, you can make it far more likely that any ongoing brute force attack on your account will fail.
Brute Force Protection For Developers
If you’re managing an app or site that stores login information, it’s important to take some steps to protect your users from brute force attempts. Here are the best practices to limit brute force attempts on your platform:
- Limit login attempts. This way, brute force attacks will take considerably longer on your site. Most hackers will be discouraged from even attempting a brute force attack on a site with a limited number of login attempts.
- Enable captcha on your login page. We know this might annoy some users, but captchas (those “prove you’re not a robot” popups) are some of the most reliable methods to prevent brute force attacks.
- Set up one-time passwords (OTPs). OTPs are single-use passwords needed to log in to services or verify transactions. They’re mostly used in the finance sector. It isn’t the most user-friendly approach to securing an online platform, but if you deal with sensitive data (for example, if you have a Fintech startup) it’s something to consider.
Protect yourself against other kinds of cybercrime by reading our resources on watering hole attacks, man-in-the-middle attacks, swatting, and more.
We hope our article answered all of your questions about brute force attacks. If you’re still left wanting more, check our FAQ section below.
A brute force attack is a hacking attempt that uses specialized software to guess user credentials. The software will take characters out of a dictionary, or a list of credentials, and then insert them into a login page. If you want to find out more about how this works and how to protect yourself against this kind of attack, check out our article on brute force attacks here.
Unfortunately, brute force attacks work. In 2021, 23% of companies surveyed by Verizon reported brute force attempts on their system. That being said, brute force attacks take a really long time to successfully hack account credentials. This makes them a hard undertaking, especially for cybercriminals that don’t have powerful computers. If you want to find out more about brute force attacks, read our article “What is a Brute Force Attack and How Can You Prevent It?”.
Let’s say that a cybercriminal wants to hack accounts from a small e-commerce site with few security measures. They’ll run software like Hydra to generate credential combinations. Then, the software will input these combinations into the login page of the e-commerce site. When it hits a combination that logs in successfully (mind you, this can take weeks or months), it notifies the cybercriminal, and the cybercriminal will have access.
Yes, in most cases, brute force attacks are illegal. Ethical hackers might attempt a brute force attack to uncover security exploits. This usually happens on internal company platforms. However, a brute force attack that attempts to steal someone’s credential is illegal.