If you read our security articles on a regular basis — like this one about testing your password strength — you’ve probably heard the phrase “brute force attack.” But what, exactly, does that mean? How does it work? And how can you protect yourself against it? Here’s what you need to know.
Brute Force Attacks: The Basics
When it comes down to it, a brute force attack is really simple: a computer program tries to guess a password or an encryption key by iterating through all possible combinations of a certain number of characters. For example, let’s say you wrote an app that tried to brute force a four-number iPhone password. It might guess 1111, then 1112, then 1113, 1114, 1115, and so on until it got to 9999.
The same principle can be applied with more complicated passwords. A brute force algorithm might start with aaaaaa, aaaaab, aaaaaac, then proceed to things like aabaa1, aabaa2, aabaa3, and so on, through all of the six-character combinations of number and letters down to zzzzzz, zzzzz1, and beyond.
There’s also a technique known as the reverse brute force attack, in which one password is tried against many different usernames. This is less common and more difficult to successfully use, but it does get around some common countermeasures.
As you can see, this is a rather inelegant way to guess a password. However, theoretically, if you had enough computing power and enough energy, you could guess any password. But if you’re using anything other than a short, simple password, you don’t have anything to worry about, as the amount of computing power it would take to guess a longer password would require a huge amount of energy and could take years to complete.
Advanced Brute Force Attacks
Because brute force attacks on anything but very simple passwords are woefully inefficient and time-consuming, hackers have come up with some tools that make them more effective.
A dictionary attack, for example, doesn’t just iterate through all of the possible combinations of characters; it uses words, numbers, or strings of characters from a pre-compiled list that the hacker deems to be at least somewhat more likely than average to show up in a password (this is the kind of attack you can run with fairly simple network penetration testing software).
For example, a dictionary attack might try a number of common passwords before going into a standard brute force attack, like “password,” “mypassword,” “letmein,” and so on. Or it might add “2016” on to the end of all the passwords that it tries before going onto the next password.
Various methods of using brute force attacks exist, but they all rely on trying a huge number of passwords as quickly as possible until the right one is found. Some require more computing power, but save on time; some are faster, but require a larger amount of storage to be used during the attack.
Where Brute Force Attacks Are Dangerous
Brute force attacks can be used on anything that has a password or an encryption key, but many places where they could be used have deployed effective countermeasures against them (as you’ll see in the next section).
You’re in the most danger from a brute force attack if you lose your data and a hacker gets hold of it — once it’s on their computer, some of the safeguards that are in place on your machine or online can be circumvented.
How might a miscreant get your data onto their computer? You could lose a flash drive, maybe by leaving it in the pocket of your clothes that you sent to a dry cleaner, like the 4,500 flash drives found in 2009 in the UK. Or, like the other 12,500 devices found, you could leave a phone or a laptop in a cab. It’s an easy thing to do.
Or maybe someone was able to download something from a cloud service because you shared an insecure shortened link. Or maybe you got hit with some ransomware that not only locked down your computer, but also stole some of your files.
The point of all this is that brute force attacks aren’t effective in some places, but there are a lot of ways in which they could be deployed against your data. The best way to prevent your data from getting onto a hacker’s computer is to keep close track of where your devices (especially flash drives!) are.
Protecting Against Brute Force Attacks
There are a number of defenses that websites or apps can use against brute force attacks. One of the simplest and most commonly used is the lockout: if you enter an incorrect password a certain number of times, the account gets locked and you need to get in touch with customer service or your IT department. This stops a brute force attack in its tracks.
A similar tactic can be used with a CAPTCHA challenge or other similar tasks. Neither of these methods will work against a reverse brute force attack, as it will only fail a password test once for each account.
Another method that can be used to prevent these attacks (both standard and reverse) is two-factor authentication (2FA); even if a hacker does guess the right password, the requirement of another code or input will stop an attack even if it does guess the correct password. Fortunately, more and more services are incorporating 2FA into their systems. It can be a hassle, but it will protect you against a lot of attacks.
It’s worth noting that while these tactics are great for avoiding brute force attacks, they can also be used to attack a site in other ways. For example, if a brute force attack is launched against a site that locks accounts after five incorrect attempts, their customer service team could get flooded with calls, slowing down the site. It could also be employed as part of a distributed denial of service attack.
By far the easiest way to protect yourself against a brute force attack is to use a long password. As the length of a password increases, the computational power required to guess all of the possible character combinations grows very rapidly. In a paper on the security risks of URL shorteners, the researchers showed how five-, six-, and seven-character tokens were easy to guess, but 11- and 12-character tokens were nearly impossible.
You can apply the same logic to your passwords. Use strong passwords, and you’ll be all but immune to brute force attacks.
A Surprisingly Effective Attack
For how simple and inelegant it is — it’s called “brute force” for a reason, after all — this kind of attack can be surprisingly effective in gaining access to password-protected and encrypted areas. But now that you know how the attack works and how you can protect yourself against it, you shouldn’t have much to worry about!
Do you use two-factor authentication? Are you aware of other good defenses against brute force attacks? Share your thoughts and tips below!