What Are Brute Force Attacks?

pile of vintage door keys
cocoparisienne / Pixabay

Brute-force attacks use software that generates random passwords and tries known passwords from data breaches to try to match your password. What are brute-for attacks? They’re the threat actors’ robot lock-pickers.

What Are Brute-Force Attacks?

If you’ve forgotten the three-digit combination for the lock on your suitcase you can, if you have the patience, systematically try every combination of numbers starting at 000 and methodically working your way through to 999. One of those combinations must be the correct one.

A brute-force attack against a network or computer is similar to this, except instead of trying combinations of digits, combinations of letters and numbers are used. A variation on this, and a technique that is more commonly seen in practice, is to use a very long list of actual passwords and to try them one at a time. With the suitcase, it is obvious that one combination of three digits will work, with the brute-force attack there is no guarantee that one of the passwords in the list will work, nor that the password will be stumbled upon by chance.

However, the longer the list of passwords, the more chance there is that one of them will match the password of the account under attack. But there is a payoff. The longer the list the more time it takes to work through it. And password lists can be very long indeed. Every time there is a data breach, the leaked passwords become available to the threat actors and they are added to the brute-force password lists. As well as lists of leaked passwords, lists of standard dictionary words are also used. This covers more combinations—and gives the attackers more chance of success—but adds to the time that is taken to work through the list.

The likelihood of a brute-force attack being successful is predicated on three factors.

  • Whether your password is unique
  • Whether your password been involved in a data breach
  • Whether you use a password or a pass-phrase

The details of over 10 billion compromised accounts are held on the Have I Been Pwned website. You can get a good idea of whether your password is unique or not by checking Have I been Pwned. You’ll probably find it is in the database. With so many leaked accounts, it’s inevitable that there will be duplicates. Of course, if your password is in the Have I Been Pwned databases, it doesn’t mean that one of your accounts was compromised. It might mean that, but it can also mean someone else’s account was compromised, and they happened to use the same password as yourself.

The important point to note is that if your password is found on the Have I Been Pwned website, regardless of where it came from, your password is also going to be in the password lists that are used for brute-force attacks. It doesn’t matter how obscure or robust your password is, if it’s in the password lists it’s untrustworthy. Brute-force attacks can be thought of as the threat actors having copies of thousands and thousands of keys. They try them one at a time in your door. If one happens to match your door, they can gain access. Where the copy of the key came from is irrelevant.

You should never use a password in more than one place. If that single password is compromised, all of your accounts are exposed to risk. If you have too many passwords to remember, use a password manager. A good template for a secure password is three unrelated words joined with punctuation, forming a pass-phrase.

How Brute-Force Attacks Work

Brute-force attacks are not an end in themselves. They are a stepping-stone in the threat actors’ larger plan. Many systems restrict the number of failed log-in attempts making brute-forcing those systems more challenging. But the main targets for these types of attacks are not corporate networks—at least, not directly.

Remote user access technologies such as remote desktop protocol (RDP) or secure shell (SSH) should be configured with enforced-timeouts after a given number of failed access attempts, or the account should be locked and a password reset enforced. Instead, brute-force attacks target corporate portals, websites, hosted applications, and encryption or API keys as a means of gaining information from them that they can use to mount a secondary attack on the corporate network.

Gaining access to a corporate website allows the threat actor to access any files that are not encrypted. Mistakes during the design and implementation of the website can be exploited. For example, if the passwords are stored in plain text the threat actors now have all of the IDs and passwords for that system, not just for the account they have compromised. Usually, that means they also have the administrator’s credentials. If the administration credentials are the same as the administrator credentials for the corporate network the threat actors have successfully compromised the main network by attacking the less-well guarded website or hosted application.

Even if they don’t immediately gain any additional exploitable information, the threat actors can modify webpages and inject malicious functionality so that subsequent logins are recorded and the account credentials captured. They then revisit the website using the compromised account and retrieve the list of recently used IDs and passwords. Eventually, they will obtain the administrator’s credentials.

Trying to crack an Application Programming Interface (API) key is a different but similar type of attack. The threat actors aren’t trying to discover a password to a user account, they are trying to discover a key to access an API. If the treat actors can access the API they will attempt to extract information through an abuse of the functionality of the API.

Semi-Intelligent Brute-Force Attacks

Brute-force packages are easy to locate and download, making them available for any cyber criminal who wants to use them. There are packages with specialisms, such as those that attack Wi-Fi networks or network devices such as firewalls, routers, and other managed appliances.

Pure password look-up brute-force packages read through the password lists and methodically use the passwords one after the other, and do no more than that.

The more sophisticated brute-force packages use each password from the password list as-is, then apply common transformations to the passwords, and try those too. They can work through permutations of the base password, substituting numbers for vowels following the common convention of using 1 for ‘i’, 3 for ‘e’, 4 for ‘a’, and so on. They also translate passwords into leetspeak, where ITEnterpriser becomes ‘17EN7erpr15eR’.

Some brute-force packages will also work through permutations of digits that some users like to add to the end of passwords to represent the current year, the year they were born, or other significant dates.

As you’ll appreciate, performing these transformations takes longer the more characters there are in the password that is being tried. Sophisticated brute-force software will make use of the graphics processing unit (GPU) of the attack-computer to speed up the calculations that are required to work through the permutations.

Rainbow Table Attacks

If system access has been achieved by the threat actors, they may use software to extract the hashed password table from the compromised server’s memory. The passwords in a computer system are not stored as plain text, they are stored as encrypted, or hashed values. The password isn’t stored, only the encrypted version is stored.

When a password is entered by a user, it’s hashed using the same encryption algorithm, and if the newly-generated hashed value matches the stored hashed value, the password is accepted. The algorithm—or hash function—that produces the encrypted passwords is one-way, you cannot decode a password.

A rainbow table is a database that’s created by the threat actors by applying the hash function to each password in their password list. They can then perform a lookup on each hash in the extracted, hashed, password table to see if it appears in their list. If any of the hashes match, they know what plain text password will generate that hash value. In other words, they now know the password for that hash.

This is used in privilege escalation when the account that has been used to gain access to the compromised computer doesn’t have sufficient administrative rights for the threat actors’ intentions.

Different Types of Brute-Force Attacks

Brute-force attacks can be categorized according to the different techniques they employ.

  • Traditional Brute-Force Attack: An automated software package generates combinations of letters, numbers, and other characters and tries to stumble upon the combination that matches the password for the account under attack.
  • Password Look-Up Attack: Automated software reads a password at a time from a huge list of passwords collected from data breaches. Each password is tried against the account under attack.
  • Intelligent Password Look-Up Attack: Automated software reads a password at a time from a huge list of passwords collected from data breaches. Each password is tried against the account under attack, along with transformations of that password. The transformations emulate commonly used password tricks such as substituting vowels for digits.
  • Dictionary Attack: Like a Password look-up attack, but instead of a list of breached passwords a list of standard dictionary words is used. Transformations can be applied to the dictionary words also.
  • API Attack: An automated software package generates combinations of letters, numbers, and other characters and tries to stumble upon a combination that matches a user’s key for an Application Programming Interface.
  • Rainbow Table Attack: The threat actors extract the hashed password list from the compromised computer, and then look for matching hashes in their own very long list of hashed passwords. If any hashes match, they know what plain text password to use for that account.

COVID-19 Prompts an Increase in Brute-Force Attacks

With the rush to implement remote access systems to allow employees to work from home during the COVID-19 pandemic, security has often taken a back seat. The threat actors realize this of course, and there has been an increase in the number of brute-force attacks since the pandemic began.

Threat actors are nimble, and can almost instantly exploit any new situation or major news story by re-deploying their existing threats. Brute-forcing is back in fashion.

How to Protect Against Brute-Force Attacks

While no single defense is foolproof against a brute force attack, organizations can put in place measures that increase the time it will take for brute-force attacks to succeed, or that require additional actions from the user

  • Enable multi-factor authentication where possible. This adds something the user has—such as a cell phone or a USB key or fob—to the password. Both authentication methods must be present, meaning the password on its own is insufficient.
  • Use robust passwords and passphrases that are unique, and stored in an encrypted form.
  • Implement a password policy that instructs and guides staff members in password robustness, complexity, and uniqueness, and re-use.
  • Limit log-in attempts to a small number of failed attempts in a given timeframe. Lock the account when the threshold has been reached, or force a password reset.
  • Enable captchas or other image-based systems designed to prove the access attempt is being made by a human and not a bot.
  • Consider using a password manager. A password manager will automatically generate complex passwords and makes it easy to have a different password for every system.