Brute force attack: A definition + 6 types to know
December 6, 2021
A brute force attack is a trial-and-error hacking method where attackers submit many queries to gain unauthorized access to a system. Hackers may test millions of login credentials, encryption keys, or URLs until a valid response is returned. Brute force hacking is also extremely prevalent — about 1 in 5 devices or networks will experience these attacks.
With so many of these cyberthreats on the loose, it’s important to know how you can keep your information safe. Keep reading to discover how cybercriminals use brute force attacks and learn tips to help you create a hack-proof password.
Types of brute force attacks
What is brute force, and what are the different methods? In a basic brute force attack, hackers use automation tools to test random, exhaustive combinations of numbers and letters to try and guess your credentials. However, this isn’t the only way hackers use brute force password cracking to steal your information. Here are six more common ways hackers harness brute force methods.
Simple brute force attacks
In a simple brute force password attack, an attacker tries to logically guess a password. They may try either common passwords or do minimal reconnaissance work to discover personal information, like your pet’s name. This attack can work with passwords like “password” or “fido123.”
Reverse brute force attack
Oftentimes, brute force attacks involve testing many passwords against a known username. In a reverse brute force attack, hackers test a common password like “123456” against a list of possible usernames.
Dictionary attacks involve attackers testing common words, phrases, or passwords in exhaustive combinations. These words may be sports teams, seasons, colors, etc. Since users often use simple, easy-to-remember passwords, dictionary attacks can be more efficient at finding login credentials.
Hybrid brute force attacks
Hybrid brute force attacks combine techniques from dictionary attacks and simple brute force attacks. Hackers test combinations involving both common words and random characters. This can allow attackers to crack passwords like “chicago123” or “rover2021.”
In credential stuffing, attackers use credentials that have already been stolen. They may find these credentials through searching the dark web or even via phishing. Bots then test a list of stolen login credentials against multiple sites. Since as many as 65 percent of internet users reuse passwords, credential stuffing can allow attackers to use one stolen credential to gain access to even more data.
Rainbow table attack
When computers store passwords, they often don’t store the actual data (e.g., 12345678). Instead, they store the password as an encryption, called a hash (e.g., 25d55ad283aa400af464c76d713c07ad). Rainbow table attacks crack passwords by testing slews of hashes. They do this through pre-generated tables of common passwords with their corresponding hash.
Goals of brute force attacks
Cybercriminals may have several motivations for enacting brute force attacks. The potential for personal profit or gain are the primary ones, but here are a few more ways hackers can make these attacks pay off.
Exploit advertisements and data
In the event a hacker gains access to a website, they can profit by placing spam ads or rerouting traffic to their own advertisements to gain commission. They can also collect and sell private data to third parties or data brokers.
Personal data theft
Selling data to advertisers isn’t the only way stolen personal data can profit a hacker. All it takes is the right stolen credential and an attacker could steal your identity, access your bank account, or commit credit card fraud.
Hackers may place malicious software on hacked sites that can spread to visitors’ computers. Once downloaded, malware can collect even more private data, hold files for ransom, hijack your internet session, impersonate users through IP spoofing, or otherwise wreak havoc on victims.
Wreck website reputations
Cybercriminals may ruin websites for personal gain or simply for practice. This can include putting offensive or pornographic material on your site. If you’re unable to remove the offensive content, your website’s reputation could be destroyed.
Find hidden websites
Not every website is accessible to search engines. Unlinked, no-index pages make up the dark web and may contain criminal activity, leaked data, or other malicious activity. Hackers can use brute force attacks to check massive URL combinations until valid websites are returned. They can then exploit these pages or criminally scrape data.
Brute force attack tools
Brute force attacks can test millions of password/username, web address, or encryption key combinations. Manually testing all these combinations could take years, so attackers use tools to automate this process. Here are some of the most common tools used in brute force attacks: ·
- Aircrack-ng: Available for Windows and Linux, this tool is a popular choice for dictionary attacks.
- John the Ripper: This free tool combines text and numbers to perform simple brute force attacks or can be used with a dictionary to perform dictionary attacks.
- 0phtCrack: Meant specifically for cracking Windows passwords, this tool can crack a password in only a few minutes.
- RainbowCrack: This tool generates rainbow tables to use in rainbow table attacks.
- Hydra: One of the most popular brute force tools, Hydra is often used in cracking passwords for network authentication.
Examples of brute force attacks
Brute force attacks often target popular platforms where many users store data. This means email domains, online tax services, or food apps could be likely targets. Here are just a few real-world examples of brute force attacks in action:
- 2009 Yahoo attacks: A 2-year-old security flaw allowed attackers a special opportunity to target Yahoo Mail accounts with password-cracking attacks.
- 2013 WordPress attacks: As many as 60 million attempts were made in just one hour during waves of brute force attacks targeting WordPress platforms. Luckily, very few sites were breached.
- 2015 Dunkin’ Donuts attacks: Seeking to exploit reward program perks, hackers gained access to almost 20,000 Dunkin’ mobile app accounts.
- 2015 Alibaba’s Taobao attacks: Hackers used a list of 99 million stolen login credentials with a success rate of 1 in 5, showing how often accounts reuse poor passwords. Nearly 21 million accounts were breached.
- 2021 T-Mobile attacks: Cybercriminals combined brute force attacks with other means to hack into T-Mobile IT servers containing customer data.
5 tips to prevent brute force attacks
Can you prevent brute force attacks? While hackers have an arsenal of tricks up their sleeves, there is plenty you can do to frustrate their brute force attempts. Here are a few tips to help you stay safe from these malcious attacks.
1. Use strong, unique passwords
Brute force attacks rely on weak passwords to succeed, so protect your accounts with complex passwords. Strong passwords are long, difficult to guess, and unique.
Long: Five-character passwords can often be cracked in a matter of seconds, while 20-character passwords could take decades.
Difficult to guess: Using easily guessed information like your birthday or children’s names makes it easier for brute force attacks to succeed with minimal reconnaissance work.
Unique: Reusing passwords leaves you susceptible to credential stuffing attacks, where cybercriminals can use one hacked account to access even more of your data.
2. Consider a password manager
Creating strong, unique passwords for all of your accounts can be difficult to keep track of. Using a password manager can help you organize your login credentials while also offering advanced security through encryptions. Many password managers also offer password suggestions to help you create stronger passwords.
3. Enable two-factor authentication
Two-factor authentication provides additional security by requiring users to verify their identity in multiple steps. This could look like logging into an account by first providing an authentic password and then entering a security code sent to a trusted device. The additional authentication step can prevent cybercriminals who have hacked your password from accessing your account.
4. Disable unused accounts
With so many platforms pushing account creation, today’s digital citizens can acquire dozens, if not hundreds, of online accounts. After all, studies show 70 percent of users have more than 10 password-protected accounts and 30 percent have “too many to count.” These unused accounts can contain confidential data like credit card information. Disabling unused accounts limits the amount of personal data you may have on the internet and gives hackers less opportunity to steal your information.
5. Limit login attempts
Since brute force attacks rely on massive amounts of login attempts, locking your account after a few attempts is a logical and effective strategy. Instituting account locks for a set time period can greatly delay brute force attacks and help keep your information safe.
Brute force methods are some of the most common types of password attacks facing today’s digital citizens. Practicing strong password and digital safety etiquette can help you stay protected.
Brute force attack FAQs
Have other questions on brute force attacks? Here are answers to some of the most commonly asked questions.
What is a brute force attack?
A brute force attack is a trial and error hacking method where attackers submit many queries until one is authenticated. This could look like submitting millions of login credentials, encryption keys, or site URLs. Once a valid response is returned, hackers can gain unauthorized access to a system.
Are brute force attacks illegal?
Brute force attacks are not illegal by themselves. What makes brute force attacks illegal is the intention. Most of the time, hackers have malicious intent: to gain unauthorized access, steal data, or otherwise criminally profit. In these cases, brute force attacks are illegal. In rare cases, brute force attacks can be legal—if the owner gives written consent for penetration testing to be performed, for example.
How common are brute force attacks?
Brute force attacks are very common. Research shows that 23 percent of monitored systems experienced security events related to brute force attacks. That’s over 1 in 5 systems. Of the 23 percent affected systems, 95 percent received between 637 and 3.3 billion attempts.
How does a brute force attack work?
Brute force attacks work by trial and error. A hacker will use an automation tool to test exhaustive lists of login credentials, encryption keys, or site URLs. If the system returns an invalid response, hackers know they’ve entered incorrect credentials. If the system returns a valid response, hackers know they’ve found the correct credential.
What’s the best protection against a brute force attack?
Since brute force attacks work by submitting many attempts, one of the best ways you can protect your accounts is by limiting login attempts. Systems that lock users out for an hour after five login attempts, for example, can significantly slow hackers’ brute force progress. You can also protect your data through strong passwords, two-factor authentication, using a password manager, online security software, and disabling unused accounts.
The freedom to connect more securely to Wi-Fi anywhere
With Norton™ Secure VPN, check email, interact on social media and pay bills using public Wi-Fi without worrying about cybercriminals stealing your private information
Try Norton Secure VPN for peace of mind when you connect online
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.