Brute force attacks are systematic attacks that continue to attack your logins until they find the correct login information. How can you protect against this?
What is a brute force attack? A brute force attack is when a bot attempts to hack into your account by using trial and error in an attempt to crack your password and encryption key.
What Is a Brute Force Attack?
As the name suggests, a brute-force attack involves using computers to attempt to breach authentication systems with rapid and overwhelming trial-and-error login attempts. This approach takes advantage of relatively simple attack vectors and the general understanding that many users don’t practice good cyber hygiene. It also involves a bit of luck–attempting to attack multiple accounts can pay off if the numbers are on the side of the hacker.
Account takeovers via brute force methods can not only threaten that account or user but an expanded horizon of interconnected systems. Some of the expected results of a brute-force attack include:
- Site or App Takeover: At a minimum, the breach of user credentials can result in the loss of an administrator account or some account that can provide the hacker with the ability to take over a web application or website for purposes of harvesting data or defacing the site for political or personal reasons.
- Data Theft: If the hacker attempts to break authentication on a local file (usually encrypted), they essentially walk away with that data.
- Lateral System Movement: One of the more troubling results of an account breach is that the hacker can use the credentials and access privileges of the account to attack other systems. For example, the hacker can use a compromised account to launch a malware attack on a connected cloud system.
- Phishing: Depending on the account, the hacker can launch more compelling and dangerous phishing attacks through email, video chat, or SMS. Since the account is a legitimate account for the organization, no one would be the wiser until it was too late.
The truth is that brute force attacks aren’t widespread, if for no other reason than security experts have mitigated their attack surfaces relatively well. However, they serve as a low-level kind of hack that can catch even the most sophisticated enterprise off guard if they aren’t paying attention.
Note that a brute force attack can unveil different types of data–login names, passwords, or data hidden in password-protected files using encryption.
What Are the Different Types of Brute Force Attacks?
While the tactics of a brute force attack are relatively straightforward, there are always different approaches that hackers may take to make them more effective. These different approaches can improve the win rate of their attacks in general or against specific targets.
Some examples of brute force attacks include:
- Simple Attacks: In the vanilla version of a brute force attack, the hacker throws an algorithm attempting password combinations as quickly as possible. These are typically ineffective if even basic security measures and practices are in place. They can fail on any login interface where slowdown occurs (i.e., web pages that reload after every attempt). These could have more effect on local encrypted files.
- Dictionary Attacks: Similar to a vanilla attack, with refinement: rather than attempting to throw combinations at the login interface, this uses a dictionary of common words, phrases, and default or used passwords. So, this attack might lead to a narrower set of words that include common dictionary words or passwords like “password” or “123456”.
- Hybrid Attacks: The hacker uses a base dictionary to begin their attack and then builds on permutations of phrases in that dictionary with expanded brute force methods.
- Reverse Brute Force Attacks: Also known in some applications as password spraying, the attack attempts to use a standard set of password permutations (either on a web login or local file authentication) across multiple files or systems.
- Credential Stuffing: This method takes advantage of the fact that many people reuse credentials on multiple sites and files. The hacker, one having hacked one account or file, will then attempt to “stuff” those credentials across multiple eCommerce, banking, and social networking sites to gain access to other accounts.
This form of attack is older than more modern attacks, but it still has purchase in the field of hacking and security because there are always people that do not follow good cybersecurity practices.
Can Brute Force Attacks Break Encryption?
The short answer is that no system currently exists that can reliably break advanced encryption.
One of the top encryption standards is the Advanced Encryption Standard (AES) published and maintained by the National Institute of Standards and Technology (NIST). The two reliable encryption methods under AES are AES-128 and AES-256, which use a 128-bit encryption key and 256-bit encryption key, respectively.
This means that, in either case, it would take the most powerful computers we have longer than the universe’s age to brute force through AES-encrypted data.
However, it’s very possible that a hacker can brute force attack an authentication method attached to an encrypted file with dictionary attacks, depending on the practices of the user who created the password for that file.
What Are Best Practices to Prevent Brute Force Attacks?
The reason brute force attacks still have some longevity is that people still use good cyber hygiene for simplicity and ease. With some attention paid to best practices, many of the pitfalls of these hacks can be avoided.
Some best practices include:
- Use Multi-Factor Authentication: Deploying MFA to include biometrics or SMS/email tokens and one-time passwords can effectively eliminate the threat of a brute force attack. Even if the hacker guesses the password, they cannot access the system itself.
- Force Increased Password Length and Complexity: An organization can require users to employ long, complex passwords to avoid dictionary attacks. This means longer than 8-10 characters, using some minimum of letters, numbers, and special characters, and disallowing the use of common words and phrases.
- Limit Login Attempts: Brute force attacks rely on systems that allow unlimited access attempts. By limiting attempts to a small number and either locking the system or requiring a cool-down period, your organization can avoid some significant issues of brute force attacks.
- Require Regular Password Updates: Users should change their passwords at least once or twice a year. Furthermore, they would be disallowed from reusing the same password when updating their credentials. This can help mitigate credential stuffing and, if a hacker has gained access to an account, stop them from using it.
- Use Captcha: Requiring Captcha verification using image matching or user interaction can effectively end brute force attacks against vanilla passwords.
Leverage Tomorrow’s Authentication Today and Avoid Brute Force Attacks with 1Kosmos
With modern systems, brute force threats aren’t as dangerous as they used to be. However, many companies still, to this day, don’t restrict password behaviors, don’t implement MFA, and don’t modernize their authentication infrastructure for new mobile devices.
1Kosmos combines MFA, secure blockchain, and identity proofing to provide a strong, decentralized authentication and identity management platform. With passwordless authentication and advanced biometrics, your company doesn’t have to worry about the threat of direct attacks against users or their passwords.
With 1Kosmos, you get the following features:
- Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
- Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
- Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
- Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
- Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.
To see how you can respond to modern authentication challenges, read more on 1Kosmos and how to Go Beyond Passwordless Solutions.