Brute Force Attacks Overview
Have you ever forgotten the password for one of your accounts? Not wanting to click the “forgot my password” button and admit defeat, you attempt to input as many possible passwords as you can until you get it right. This method, in fact, is also a type of attack used by hackers to break into something. What you’re really doing is called a brute force attack. While your attempt at guessing your password may only take a few tries, the same cannot be said for breaking into a website. Cracking a server, account, or website may require inputting billions or even trillions of possible combinations. Those kinds of numbers require computers and a coordinated attack.
How Brute Force Attacks Work
The attacker has to repetitively try every combination possible until they use the correct password. Typically, an attacker can embark on a dictionary attack if the website only requires English (or any other language) words for a password. The dictionary attack goes through every single word in the dictionary until the right word unlocks the website. However, websites and servers have evolved over the years and now require passwords to be more than just single words. Passwords now commonly require lower-case and upper-case letters, special characters and numbers. Modern and well-protected passwords need computers to break them. An exhaustive key search by a computer will go through all combinations of characters, numbers, and words until the correct set unlocks the account. Furthermore, computers can even decrypt weaker encryptions that serve to protect passwords.
What if the attacker already knows the password but not the username? This requires a reverse brute force attack. Security breaches can result in the leak of users’ passwords, which attackers use to reverse engineer their way into the account. The attacker begins with the password and uses a brute force attack to search and, ultimately, find the username that goes with the password.
A graphics processing unit (GPU) can be used to crack passwords and ciphers. A GPU can take on hundreds of tasks at the same time, thereby allowing it to run a brute force attack by inputting hundreds of passwords until the correct one is found.
Protecting Against a Brute Force Attack
Both users and website/server administrators can take steps to protect against brute force attacks. Users should be creating complex and long passwords. Moreover, they should be using a different, unique password for each of their accounts. Try to use as many special characters and numbers as possible and limit the use of words, especially ones that can be easily guessed.
Administrators can force users to create passwords that are more complex. A website should force a user to come up with a password that is as complex as possible, and not a simple one-word password. Furthermore, brute force attacks rely on being able to input as many combinations as possible. If the administrator limits a user’s login attempts, then after a set number of failed attempts, the attacker can no longer continue to input incorrect password combinations. As well, administrators can salt passwords hashes in order to ensure greater protection.