A brute force attack, as the name suggests, is a repeated attack to ‘guess’ or crack the password and/or username credentials to access an account, open an encrypted file/message, and so on. Brute force is a pretty ancient attack method and has been around before the days of the internet. However, it is still popular because it is relatively low risk and still pretty effective.
Depending on the complexity and length of a password, the brute force attack can crack it anywhere from just mere seconds to years. Over the years, there are also various techniques and methods developed to employ brute force attacks, either to make the whole process faster/more efficient or to avoid the evolving security measures.
Below, we will discuss such methods and how to effectively stop each of them.
Table of Contents
Common Brute Force Methods and How To Stop Them
- Basic Brute Force
A basic or simple brute force attack is about trying every possible combination for the password, one at a time. For example, if it’s a 4-digit PIN, we can start with 0000, then 0001, 0002, and so on.
How to stop it: by limiting the number of login/access attempts. Most login authentication systems nowadays will lock users after several failed login attempts, and this is why basic brute force attacks are typically only useable for local encrypted files where there’s no limit to the number of access.
- Dictionary Attack
This method is called a ‘dictionary’ attack since it uses a list of commonly-used passwords (just like a dictionary) and tests them one by one. This approach is a step above the basic brute force attack since it improves the chance of success instead of using a totally random approach. However, a dictionary attack still needs a large number of attempts.
How to stop it: limiting the number of login attempts is still effective. Educating users to use strong passwords and avoiding using birthdays and other personally identifiable information (PII) can also help.
- Hybrid attack
A hybrid brute force attack combines a dictionary attack with the basic brute force technique: it starts with a list of passwords (the dictionary), and then it will modify each password in the list like adding numbers, changing cases, and changing each character one by one.
How to stop it: both approaches in stopping basic brute force attack and dictionary attack can work here.
- Rainbow table attack
Rainbow table attack is a more sophisticated, advanced form of brute force attacks. Instead of attempting to crack the password, but this attack targets the hash function that encrypts the login credentials. The ‘table’ here is a precomputed list of hash values for common plain text passwords, the attacker will use this list to check which passwords produce a certain hash function. When the hash function is known, the credential is exposed.
How to stop it: we can prevent rainbow table attacks via password ‘salting’. A password salt randomizes each hash function by adding random data to make it unique for each user. Also, avoid using outdated hashing algorithms, as rainbow tables tend to target systems using these hashing algorithms such as MD5 and SHA1.
- Reverse brute force attack
A reverse brute force attack aims to guess the username rather than the password, whether the password is already known or the attacker is using a very common password that is used by a lot of people. The perpetrator will test the password against various usernames or encrypted files until it finds the right combination.
How to stop it: there is an effective brute force protection solution by DataDome against brute-force attacks, especially when the password is already known. Educating the users to use stronger and more complex passwords can be effective, as well as implementing multi-factor authentication (MFA).
- Credential stuffing
Credential stuffing is a variation of brute force attack where the attacker uses stolen credentials to attempt logins on other websites or services. This type of brute force attack relies on the fact that many of us rely on just one ‘go-to’ password for all our accounts.
How to stop it: can be very difficult to defend against, but educating users and employees to use unique passwords for each service is the most effective approach. Implementing MFA (multi-factor authentication) is also effective, but can hurt the user experience level of the platform.
Important Methods To Stop Brute Force Attacks
Above, we have discussed several approaches in defending against various brute force attack techniques, mainly by encouraging strong passwords and limiting login attempts. . Here are some other important methods we can employ:
- Bot Detection Solution
Most brute force attacks today are performed with the help of a bot, and a proper bot detection solution can quickly identify behaviors and activities that indicate brute force attacks. The earlier we can detect these bot activities, the better we can mitigate or even prevent the damage altogether.
With how today’s 4th generation bots are very sophisticated in mimicking human behaviors, a bot detection solution that accurately analyzes both technical and behavioral data is needed.
- Tricking The Attacker
There are various diversionary tactics we can employ to confuse the brute force attacker or the bot used in the attack. For example, we can redirect the attacker to different failure pages after several failed login attempts, which can ‘trap’ the bot. Another option is to grant access to the account but then request a password after several pages. Bots tend to rely on expected routines, so this can throw them off-balance.
- Employing Hashes and Encryption Keys
Another approach is to use encryption keys, where the password is ‘scrambled’ as a randomized hash until it is reconstructed with the right encryption keys. Above, we have discussed how rainbow table attacks can attack these hashes, but a good encryption key can be very tough to crack.
Invest in a high-bit encryption key, that is typically enough to defend against most brute-force attacks. It is recommended to encrypt all your data and communications using 256-bit keys.
End Words
Brute force attacks can be very difficult to defend against with all the different variations and techniques employed by today’s hackers. However, that’s not saying it’s impossible.
Since most brute force attacks are initiated by bots and automated software, a bot detection solution like DataDome can be the most effective approach in defending against various types of brute force attacks and preventing further cybersecurity threats.
