Skip to main content
Brute-force Attack and Dictionary Attack

Brute-force and dictionary attacks are both cybersecurity attacks in which the attacker attempts to log into an account by using different passwords to find the correct one. These common attacks often succeed because many users use common variations on a few passwords. Brute-force and dictionary attacks employ different types of systemic approaches, rather than simply entering random strings of characters.

These attacks are also popular because once attackers have the correct password for an account, they can log in like any other user. No additional exploitation is necessary, and any security controls are bypassed. A successful brute-force or dictionary attack is particularly rewarding for the attacker when the compromised account belongs to a system administrator, which has greater privileges than an ordinary user account. 

Brute-force Attack

Brute force attacks try every single possible combination of characters in the keyspace to identify the correct password for a user's account. Attackers typically use software to automatically test the large numbers of possible passwords that this type of attack requires. Virtually all organizations have rules for their passwords, which attackers would incorporate into their attack by ensuring the passwords they try to meet these criteria.

A brute-force attack will eventually succeed given enough time, assuming the target system doesn't employ appropriate countermeasures. The critical issue is whether the attack will succeed quickly enough to make the attack worthwhile, which depends on the number of possible combinations. A four-digit PIN contains only numbers, so it only has 10,000 possible combinations. A standard eight-character password has over 2.8 trillion possible combinations, even if it only contains alphanumeric characters.

Dictionary Attack

A dictionary attack is a type of attack in which the attacker has a list, or dictionary, of words and phrases that members of the target organization commonly use as passwords. The attacker can then use the dictionary entries and their variations to guess the password, rather than randomly-generated passwords.

Dictionary attacks are best suited for systems with weak password rules, especially those that allow passwords to be actual words. However, most systems today require strong passwords that contain numerals and special characters. In addition, modern systems also prohibit common passwords like "password", "123456" and "letmein".

Defenses

The most effective attack against a brute-force or dictionary attack is to lock the account after a certain number of consecutive unsuccessful attempts. Some systems also implement additional measures when a user repeatedly fails to login successfully. For example, an iPhone can be set to wipe all of its data after 10 failed attempts.

An administrator can also increase the time needed to log in while ensuring authorized users aren't significantly inconvenienced. For example, a delay of 1 second is unlikely to bother a user, but it can quickly become significant when attempting a brute-force attack. This countermeasure is particularly effective when the attacker is unable to execute multiple attacks simultaneously, a tactic known as parallelizing the attack.

Another possible response to multiple failed logins is to require a captcha, which is a challenge-response test designed to determine whether the login attempts are coming from a human user. In addition to identifying automated attempts, captchas also significantly slow down brute-force attacks.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.