Here Are the Effective Measures You Can Take to Prevent Brute Force Attack
A brute force attack is one of the simplest hacking methods ever since the history of the internet (or even the history of computers). The theory behind a brute force attack is very simple: if you try, try, and try again to guess a password, you are bound to be right eventually, provided you have an infinite amount of time to try.
In a brute force attack, the attacker attempts to guess the accounts password (and username). After a successful brute force attack, the attacker can then use this account to execute a more massive attack like DDoS (Distributed Denial of Service) attacks, data breach/theft, and even shut down the system completely.
The thing is, executing a brute force attack is relatively easy even for beginner hackers, and there are even widely available tools that can attempt thousands of password inputs every second. There are also various how to brute force tutorials available for free, and there is a high likelihood someone has already attempted a brute force attack on your site.
Types of Brute Force Attacks
The basic principle of any brute force attack is to try as many password combinations as possible. Still, several variations of brute force attacks are made to speed up the attack or avoid the website’s safety measures.
Here are some of the most common brute force attack variants:
1. Generic Brute Force
A simple brute force attack can involve different techniques, but commonly about iterating through all possible password combinations, one at a time. This attack is relatively ineffective on modern websites that limit login attempts, so this type is only commonly used on password-locked files.
2. Dictionary Attack
In this type, the attacker uses a list of phrases instead of randomly guessing the password. With each attempt, the attacker will build a “dictionary” and iterates through this list. People commonly use certain words and phrases for passwords (i.e., birthday months, city names, etc. ), and if the attacker is lucky, using this approach can improve the success rate.
3. Hybrid Attack
A hybrid attack essentially combines the above methods and will modify the words/phrases in the dictionary list, character by character, with each attempt. The idea behind this is to minimize the total number of attempts (to avoid security measures) and speed up the process.
4. RainbowTable Attack
Nowadays, especially bigger companies often hash their users’ passwords to randomize the password. Password hashing uses a mathematical process to convert passwords into random strings of characters, so the password is technically very secure. With that being said, it’s much more challenging to guess hashed passwords with a standard brute force attack.
Furthermore, to tackle such an issue, a rainbow attack is a brute force attack that compiles a list of pre-computed hashes. The list contains various mathematical solutions for standard hash algorithms, and with time, can be useful in guessing hashed and random passwords.
5. Password Spraying
Another common and pretty basic brute force technique is to try a few commonly used password phrases on many different accounts on many different websites. The attempts can be on thousand, if not millions of accounts at once.
The main idea behind this is that even when only one user uses a weak or common password on the site, the whole site might be compromised. Password spraying focuses on the number of potential targets, and the perpetrators can then avoid attempt limits/account lockout policies that would typically trigger after several login failures.
For example, some professional attackers are very patient in their password spraying attack. And there are cases where the attackers have targeted the same site for months and even years, like attempting one attack every day and waiting for the presence of just one user with a weak password.
Sites with single sign-on policies and cloud-based authentication are especially vulnerable from password spraying attempts.
6. Credential Stuffing
Various brute force techniques discussed above are based on the presumption that the attackers don’t already possess a user’s credentials. However, in this type of attack, the perpetrator uses a list of stolen credentials and tries the known username and passwords on various other sites.
A credential stuffing attack relies on our tendency to reuse our passwords for multiple accounts (which is very common), and so credential stuffing has a reasonably high success rate. Due to this, cybercriminals often share and sell stolen passwords on forums and dark web.
How to Prevent Brute Force Attack
1. Requiring Users to Use Stronger Passwords
Ensuring that using strong passwords is mandatory can significantly help in preventing successful brute force attacks. You can ask your users so that their passwords are of a certain length and to contain specific combinations like a mix of upper/lower cases, numbers, and symbols.
If you are a network administrator, you can also require your users to use hashed/randomized passwords and incorporate a password management system.
- Longer Is Stronger: If you are a user, the general rule of thumb is to use the full-length password supported by the website. For example, some websites might only support 8-character passwords. Some others support 15 characters or more. Longer is always better, but obviously, it’s harder to remember long passwords. You can either write it down or use a password management tool in such cases.
- More Complex Is Better: Consider requiring users to use not only digits and alphabet characters but also symbols and space. Also, require users to use both lower and uppercase in their passwords. If necessary, you can use various password randomizer/hashed password tools for extra security.
2. Implement Extra Layers of Defense
The general principle in preventing brute force attacks is to make it as hard as possible for the attackers to ‘guess’ the password, and there are various things we can do for this purpose, including:
- Limiting Access Based on IP Address: It can be useful if your website is serving only in specific locations. If you only allow access from a specific IP address range, you can effectively give these brute force attackers a hard time. However, this is certainly not a one-size-fits-all answer.
- Security Questions: A pretty basic security measures, security questions can act as a secondary defense layer when the attacker has successfully guessed the password via a brute force attack. However, if you ask security questions all the time, it can affect user experience (UX). So, you can mitigate this by only asking security questions after a specific number of failed login attempts.
- CAPTCHA: CAPTCHA stands for Completely Automated Public Turing tests to tell Computers and Humans Apart, and as the name suggests, CAPTCHA is an automated test to differentiate between humans and bots. Since most brute force attempts tend to involve bots and computer programs, strategically placing your CAPTCHA can be useful in preventing brute force attempts. However, as with security questions, including too many CAPTCHAs can hurt your user experience, so use them strategically and sparingly.
- 2-Factor Authentication: 2-factor authentication is using something other than the password to authenticate the user’s identity with:
- Something they know: for example, security questions, as discussed above.
- Something they have: a dongle/token or other physical objects that can be recognized by your system
- Something they are: fingerprint, face ID, iris scan, and so on
Due to the brute force attack’s nature, a persistent hacker given with an infinite amount of attempts and an unlimited time frame will eventually guess the passwords. So, investing in a brute force attack prevention solution would be the right choice and would make the process harder for the perpetrator and limiting their attempts (i.e., by locking out accounts).
If you put enough security perimeters and don’t allow your website to be easy prey for brute force attacks, the attacker might turn away to other easier targets.
About the Author :
About Mike Khorev
Mike is passionate about all emerging technologies in the IT space and loves to write about all of them. He is a lifetime marketing and internet expert with over 10 years of experience in web technologies, SEO, online marketing and cybersecurity.