Although we have talked about this subject before, we would like to provide some additional information. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. This trial-and-error approach is made using automated tools, scripts, or bots cycling through every possible combination until access is granted. The attacker systematically checks all possible passwords and passphrases in a database (in some cases, it contains Billions of passwords) until the correct one is found. Alternatively, the attacker can attempt to guess the key, typically created from the password using an essential derivation function. This is known as an exhaustive key search.Goals of a Brute Force Attack include:
- Theft of personal information. These include passwords, passphrases, and other information used to access online accounts and network resources.
- Harvesting credentials to sell to third parties
- Posing as users to send phishing links or spread fake content
- Defacement of websites and other information in the public domain that could damage the reputation of the organization
- Redirecting domains to sites holding malicious content
This information can also be used for positive gains. Many IT specialists use this method of attack to test network security and, more specifically, the strength of the network’s encryption.
Types of Brute Force Attacks. There are several different types of brute force attacks, each of which has the same goals detailed above.
Hybrid Brute Force Attacks: You may have heard of dictionary attacks. These are some of the most common forms of brute force attacks and use a list of words in a dictionary to crack passwords. Other types of attacks may use a list of commonly used passwords. If your password is ‘password,’ for example, a brute force bot would be able to crack your password within seconds.
Reverse Brute Force Attack: Reverse brute force attacks don’t target a specific username but instead use a collaborative group of passwords or a unique password against a list of possible usernames.
Credential Stuffing: When the attacker knows a username and password pairing, they can use this information to gain access to multiple websites and network resources. For example, many users choose the same password to access many different websites for simplicity. Taking precautions like using two-factor authentication and using different passwords for various network resources can prevent brute force attacks that rely on credential stuffing.
How to Prevent Brute Force Attacks:
Brute force attacks typically rely on weak passwords and careless network administration. Fortunately, these are both areas that can be improved easily to prevent vulnerabilities that could bring your network or website resources to their knees. For example, utilizing strong passwords, allowing a limited number of login attempts, and enabling two-factor authentication can prevent brute force attacks.
Ultimately, it is crucial to educate your organization on the importance of password strength and general information security habits. Even with a strong password, employees can fall victim to insider threats if security is not a vital part of your culture.
For additional information or to have your question featured in a future column, please call us at: 855-448-2178 or email us at: info@it21st.com.
