Brute force attacks can crack your passwords

A brute force attack is one of the oldest, most popular and successful hacking techniques in the cyber world. This password-cracking method is mostly a “hit and try” until you finally achieve your goal. However, with the continuous growth of powerful technologies, brute force attacks became much easier to execute. Although it’s a time-consuming approach, the hack is very likely to succeed. Hence, what is a brute force attack exactly, why is it dangerous, and how to defend against it?

What is a brute force attack?

A brute force attack is an attempt to crack personal user information – usernames, passwords, passphrases, or PINs. It’s a type of cryptanalysis attack involving a script or bot used to brute force algorithms (password crackers) to guess the correct combination. The crooks let a computer do the dirty work by utilizing its power to generate infinite variations of the username and password pairs.

Since it relies on programs or bots to automatically solve algorithms and crack passwords, a brute force attack is relatively simple. With enough time and computational resources, there’s a possibility to hack every password-based system. However, these attacks are extremely slow and sluggish as well. Brute force software or a bot must run through every possible combination of characters before guessing the correct credentials.

How does a brute force attack work?

A password of eight characters, including letters, digits and special symbols, makes 406 trillion different combinations. With every additional character, combinations only increase. Hence, the longer the target string (a combination of characters), the harder it will be to crack. However, the number of characters doesn’t define the success of a brute force attack. It also depends on computing power. Hackers might use supercomputers that can make a hundred trillion guesses per second. So, they can obtain the correct password in a blink of an eye.

The time required to crack a password is a vital factor. For instance, a brute force attack executor can decipher a basic password of 7 lowercase letters in milliseconds. However, a 9-character password increases the time to 5 days. 10-character strings can take 4 months, whereas cracking 11-character passwords can take 10 years. Make it up to a 12-character password, and hackers will need 2 centuries.

Brute force attack types

In essence, a brute force attack is an act of guessing as many combinations as possible. However, there are a few variants of this endeavor:

  1. Dictionary attack. It is the most basic attack. The attacker takes a password dictionary (a list of popular passwords) and checks them all. So, if your password is “qwerty123” or “123456”, a brute force bot will crack it in seconds.
  2. Reverse brute force attack. As the name implies, this attack involves a reverse method to guess the credentials. Instead of targeting a set of passwords, a reverse attack runs multiple usernames against a single popular password. Here, attackers attempt to brute force a username with that particular password until they find the correct pair.
  3. Credential stuffing. This brute force attack primarily relies on lists of usernames and passwords from data breaches. These incidents open doors for recycling the same login data on other popular websites.

How to defend against a brute force attack?

Protecting yourself from crooks and their supercomputers might seem like a daunting task. The truth is, there are effective ways to defend yourself, and they are rather simple.

  • Use strong passwords. A brute force attack relies on weak passwords. Your password should be unique, long, and hard to guess. Mix lowercase and uppercase letters, add numbers and special symbols whenever possible.
  • Implement Two-Factor Authentication (2FA). If enabled, 2FA adds a second layer of authentication. When you attempt to log in to your account, you will need to enter a specific code that only you can obtain. Each login attempt will require additional verification and prevent the success of a brute force attack.
  • Check HaveIBeenPwned.com regularly. With more and more new data breaches reported, it’s worthwhile to check whether your accounts are safe. In case of a breach, credentials might end up on public databases or the dark web.
  • Don’t reuse passwords on multiple platforms. As convenient as it might be, you’re letting crooks break into multiple accounts with one pair of credentials.
  • Use a VPN. The success of a brute force attack is mostly a result of weak passwords. However, a VPN can strengthen your online security and privacy in general. By encrypting your traffic, VPN hides everything you do online. It protects you from many other dangers lurking on the internet, including hacking, data or identity theft, spying, and more.

Alex T.

Alex T.


Tags: security