Brute force or ‘Bruce forcing’ is a common threat that involves systematically guessing passwords until the correct one is discovered. This effort requires a lot of time and resources. As passwords get stronger, the more CPU intensive the effort becomes to guess the correct password. There are several types of brute forcing attacks that attackers use to gain access to accounts and mechanisms that one can use to increase protection.
Types of Brute Force Attacks
Dictionary attack
A dictionary attack is a type of brute forcing that involves using a wordlist. The are words or phrases by themselves with no special characters or numbers. Attackers can create their own custom wordlists or easily find them online. Additionally, there are github repositories that contain several wordlists that can be plugged into password cracking tools (search: ‘Seclists dictionary’). However, preventing these types of attacks are simple, do not use a single word or phrase in your password. Still one of the most common passwords is ‘password’ or ‘qwerty’.
Hybrid Brute Force Attacks
A hybrid attack uses a combination of methods such as a dictionary along with special characters, upper/lower case and numbers.
Reverse Brute Force Attack
This method is the reverse of guessing a password. Instead, an attacker has a password and guesses the username.
Rainbow table attacks
Most of the time, passwords are not stored in a database as plaintext but are hashed using some form of encryption prior to being stored in a database. A rainbow table is a precomputed compilation of plaintexts and matching ciphertexts (encrypted passwords). These tables can greatly speed up the guessing process.
Credential Stuffing
An attacker can gain access to multiple websites or resources by using credentials from a prior data breach. The data obtained from breaches is typically available on the dark web for these types of activities.
Password Spraying
Password spraying is an attack that attempts to access a large number of sites using known account usernames with a few commonly used passwords but is not user specific.
The Future of Brute Force Attacks
The typical PC is limited in CPU functionality and can only work with a set amount of defined data at one time. However, there is a concern that someday quantum computers will provide the ability to quickly break encryption. At a high level, quantum computers are machines that use the properties of quantum physics to store data and perform computations. An article by MIT technology review shows just how a quantum computer could break 2048-bit RSA encryption in 8 hours. If you were wondering earlier, encryption standards do matter. Also, for an in depth article on post-quantum encryption standards, check out this peer reviewed article.
Google is leading the efforts to be able to create the world’s first quantum computer. It is possible that one day soon we will need to adjust our encryption standards.
Prevention
Standard User Accounts
- Use complex passwords
- Do not reuse them on other sites
- Enable 2fa where possible
- Set up a recovery email address or phone number in case of a compromise
Web Application Design
- Use a Web Application Firewall as a layer of defense to protect the asset
- Configure account lockouts. However, If you do not want to deal with manually resetting user account, you can set a time limit on the lockouts (5, 10 or 15 minutes).
- Additionally, be sure to use a strong encryption standard and stay away from custom encryption.
Finally, for educational purposes – see what how long your passwords hold up in a brute force attempt, https://howsecureismypassword.net/ .This site will tell you how long it would take for someone to guess your password.
