Unlike a dictionary attack which utilizes of a list of predetermined strings, a brute force attack involves calculating possible key combinations. The process is initially fast, but as the key sizes increase, so does the amount of time and resources needed to find the correct one. In other endeavors, the automated software used in a brute force attack can be used to breach cryptographic security in order to retrieve encrypted data.
The aforementioned tactics of gaining authorization isn’t inherently criminal, but rather an application of general problem-solving through enumeration. Cyber criminals and security analysts alike have been known to engage in many forms of exhaustive searching. Criminals do so to steal vital data, while analysts (also known as whitehats) use similar techniques to generate, test and countermeasure attacks against an information system’s security.
Defending Your Computer and Online Accounts against a Brute Force Attack
For the average Internet user, deflecting a brute force attack is completely in the hands of the service providers they hold an account with. But if you happen to be a webmaster or system administrator, you are directly responsible for the security of your online assets. The following are best practices to help you thwart the likelihood of unauthorized access:
Use complex alphanumeric passwords that are not easily guessed. If the application you are using allows it, you might even want to add in a few special characters like an exclamation mark (!) or underscore (_). This, along with frequently changing your passwords, is the easiest method for preventing the success of a brute force attack.
Placing a limit on the number of unsuccessful login attempts is also a common practice for preventing a brute force attack. You have likely noticed this protocol with your banking and social media apps. After you have failed to provide the correct set of login credentials after a certain number of times, your account is disabled. When protecting a personal website or application you own, you might employ software that will blacklist a user (or script) by its IP address.
In addition to procedures which blacklist and disable, intervals between login attempts are also useful tactics in warding off intruders. Nothing disrupts automation more than an opposing script which renders it inoperable…
…And, given that brute force attacks are almost always automated, using verification tools like reCAPTCHA, which requires human interaction, can be an effective countermeasure against unauthorized access.
Every so often, you will stumble across systems which display a username and password hint upon a failed login attempt. It is a better idea to obfuscate and randomize these error messages. While it may not be helpful to an actual user (at least on the surface), it prevents attackers and their scripts from making educated adjustments.
Finally, an extra layer of security can be added to your application or system through two-factor authentication. This can be in the form of customized, secret questions (presented upon failed and successful login attempts) or randomly-generated strings sent to a user’s email or smart phone via SMS/text messaging.
The brute force algorithm existed before the days of the Internet and has yet to to disappear from it—even in the face of cybersecurity awareness. It is an ever-present danger, implemented by attackers when the right opportunity presents itself. These days, mobile and stationary computers contain far more sensitive information, making a brute force attack all the more lucrative among hackers and cybercriminals. It is for us to deny it such leeway through applicable security and effective countermeasures.