Most companies worry that they will experience a security breach at some point. However, many are under the impression that it either will not happen to them or are protected enough that it cannot happen to their business. Often, busy companies put web security best practices on the back burner, which does not become a priority until AFTER the breach.
In Verizon's 2020 Data Breach Investigations Report, hacking passwords with brute force is still the primary attack vector. Over 80% of breaches are caused by brute force or using lost or stolen credentials.
This means that any online user is constantly under a threat of a security breach. Brute force and dictionary attacks continue to be the main cause of concern where cybercriminals gain access to your personal information and unauthorized data.
Why are Brute-force and dictionary attacks popular?
Brute-force and dictionary attacks are popular because they employ different systemic approaches rather than simply entering random strings of characters. These attacks are also widespread because once attackers have the correct password for an account, they can log in like any other user. No additional exploitation is necessary, and security controls are bypassed. A successful brute-force or dictionary attack is particularly rewarding for the attacker when the compromised account belongs to a system administrator with greater privileges than an ordinary user account.
What is a Brute-force Attack?
Brute-force and dictionary attacks are both cybersecurity attacks. Attempts are made to log in to an account using different passwords to find the correct one to break into the account. Attackers typically use software to automatically test the large numbers of possible passwords required by this attack.
Virtually all organizations have rules for their passwords, which attackers would incorporate into their attack by ensuring the passwords they try to meet these criteria. These attacks succeed because often, many users use common variations on a few passwords.
The success depends on the number of possible combinations. For example, a four-digit PIN contains only numbers that only have 10,000 possible combinations. However, a standard eight-character password has over 2.8 trillion possible combinations, even if it only contains alphanumeric characters.
What is a Dictionary Attack?
A dictionary attack is a type of attack in which the attacker has a list or dictionary of words and phrases that members of the target organization commonly use as passwords. The attacker can then use the dictionary entries and their variations to guess the password, rather than randomly generated passwords.
Dictionary attacks are best suited for systems with weak password rules, especially those that allow passwords to be actual words. However, most systems today require strong passwords that contain numerals and special characters. In addition, modern systems also prohibit common passwords like "password," "123456," and "letmein."
A cybercriminal using brute force or the dictionary attack will eventually succeed if given enough time. The critical issue is whether the attack will succeed quickly enough to make it worthwhile.
There are a few different brute force methods, and the attack can use a different method.
Security Breaches By USB
Brute force attacks are resource-intensive and maybe the first part of a multi-attacks taken in stages. These popular brute force methods can leave you exposed:
So what's to be done?
- Simple brute force attack – uses a systematic approach through automation and scripts to 'guess' the password and doesn't rely on outside logic.
- Hybrid brute force attacks – a combination of a dictionary and a brute force attack. This attack starts with external logic and then the simple approach to cover as many variations as possible.
- Dictionary attacks – targets word strings or phrases against usernames or passwords
- Rainbow table attacks – a pre-computed table reversing cryptographic hash functions of limited characters and lengths.
- Reverse brute force attack – information gathered from previous data breaches allows hackers to use passwords against multiple usernames or a common password.
- Credential stuffing – Because users are known to use the same or similar passwords across multiple sites, credential stuffing uses a previous-known password and username combinations against multiple websites to exploit the system.
- Simple brute force attacks - hackers use logic instead of tools or software to guess credentials.
- Password spraying – applying one password to multiple single sign-on accounts and cloud-based apps to avoid getting locked out or caught.
- Botnets – can be used in any brute force attack and creates an extra layer of anonymity attackers save time and resources by using hijacked computers to attack algorithms.
Why are Brute Force Attack Tools Important?
Brute force attacks discover hidden pages and content in a web application and your protected data. Attackers use many different brute force tools to get the job done.
Popular brute force tools:
- Aircrack-ng — A free brute force wifi password cracking tool used to breach passwords and wireless connections on Windows, Linux, iOS, and Android.
- John the Ripper — This free software can perform attacks by combining text and numbers and a dictionary of passwords. It runs on platforms including Unix, Windows, and OpenVMS.
- L0phtCrack — cracks Windows passwords using rainbow tables, dictionary attacks, brute force attacks, hybrid attacks, rainbow tables, and multi-processor algorithms.
- Hashcat - is a free CPU-based password cracking tool for Windows, Linux, and Mac OS to perform simple brute force, rule-based, combinator, dictionary, fingerprint, hybrid, mask, permutation, table-lookup, and toggle-case attacks.
- DaveGrohl — Is an open-source tool for cracking Mac OS. It can be distributed from multiple computers to attack the same hash password.
- Ncrack - can be used on Windows, Linux, and BSD platforms to crack network authentication and perform different attacks.
- THC Hydra - an open platform with the ability to crack passwords of network authentications by performing brute force attacks. It performs dictionary attacks against more than 50 protocols and multiple operating systems
- Ophcrack - A free, open-source tool used to crack Windows less than 14 character passwords within minutes through LM hashes and rainbow tables.
- Rainbow Crack - This is different from other conventional brute-forcing tools. It generates pre-computed rainbow tables while performing the attack to reduce attack performance time.
As noted above, many tools help carry out the brute force attack. While these tools are important to hackers, they are also important for you. You can also do what the hacker can do with the tool to identify security holes or gaps within your system.
Defend and Prevent
To keep yourself and your company network safe, you'll need to take special precautions. You will need to enforce user behavior best practices and ensure the network security systems are.
Here are a few best practices for employees and company administrators to help protect against a brute force attack.
Best practices – for the individual employee
It may seem straightforward for many employees what to do and not do within a company network. However, many data breaches happen due to an employee or human error, and here are a few best practices employees should know.
The best and main defense against password attacks is to ensure your passwords are as strong and encrypted. Because an attacker wants to get in and get out of your system as quickly as possible, brute force attacks rely on time to be successful. The harder it is to guess the password, the longer time it takes. The longer it takes to slow down the attacker, the less worthwhile it is; most attackers will generally give up and move on to the next victim.
Tips to strength passwords against brute attacks:
- Make longer passwords with a variety of characters. As a best practice, choose 10 or more characters that include numbers and symbols.
- Elaborate passphrases. Choose complex passphrases with extra characters and character types instead of single words since not all websites accept long passwords. Example: SuPermaNr!D3StheDCK (supermanridestheduck).
- Create rules for passwords. The toughest passwords to crack are the ones that only make sense to you. Consider using truncated words, like replacing "duck" with "dck" to create a string that makes sense only to you. You could even drop vowels or only use the first letter of each word followed by numbers and characters.
- Don't use frequently used passwords. Avoid common passwords and make sure to change them frequently.
- Unique passwords for every website. Never reuse a password to avoid being a victim of credential stuffing. For a higher level of security, you could choose a different username per site as well.
- Password manager. Keep track of your unique usernames and passwords by installing a password manager to help automate, create, and keep track of your online login information. You access all your accounts by logging into the password manager and navigating to your websites accordingly. Password managers allow you only to remember ONE password as the rest are stored safely.
Cybersecurity best practices for a company
Limit Login Attempts
The most effective forced attack is the counterattack of locking the account after several consecutive unsuccessful login attempts. Some systems also implement additional measures when users repeatedly fail to log in successfully. For example, an iPhone can be set to wipe all its data after ten failed attempts.
Extend Login Time
An administrator can also increase the time to log in while ensuring authorized users aren't significantly inconvenienced. For example, a delay of one second is unlikely to bother a user, but it can quickly become significant when attempting a brute-force attack. The countermeasure is particularly effective when the attacker cannot execute multiple attacks simultaneously, a tactic known as parallelizing the attack.
Require a Captcha
Another possible response to multiple failed logins is requiring a captcha, a challenge-response test designed to determine whether the login attempts are coming from a human user. In addition to identifying automated attempts, captchas also significantly slow down brute-force attacks.
To beat a cybercriminal is to walk like a cybercriminal
You should take data security seriously. It is important to have all sensitive data encrypted.
Since data can be intercepted while at rest, in transit from a server to a client or browser, cybercriminals only need to target information sources that give them access through stealing private keys to man-in-the-middle attacks.
Computer intelligence is needed to run brute force password software. And cybercriminals have worked out hardware and software solutions to make their job a lot easier. You can mimic their same actions and run the brute-force attacking tools yourself for penetration testing. Pentesting is the art of hacking your own IT system the same way a hacker would.
Or you can strengthen your security posture with RedTeam Security's penetration testing. Penetration testing will help identify and exploit your organization's security vulnerabilities through a systematic testing process focused on your networks, applications, physical facilities, and human assets.
At RedTeam Security, we offer a free security consultation. You can schedule your appointment online or call (952) 836-2770 today. Get in touch with us today to ensure you're doing everything to protect your computer systems and your business reputation.
10-Point Offensive Security Checklist
Download Free Resource Download Free Resource