The H.A.C.K.E.R. Project

If at first you don’t succeed, try, try again. While this classic adage is meant to help motivate people to push past failure, it can also be unofficially considered the motto of brute force attacks. A brute force attack is “a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys” (Fortinet). Instead of relying on tools or techniques used to steal passwords from unsuspecting victims, such as social engineering, brute force attacks work just as they sound: the hacker tries thousands of password combinations to force their way into an account.

How Does a Brute Force Attack Work?

As mentioned above, a brute force attack is when the hacker will simply try thousands upon thousands of different password combinations until they find the correct password to get into an account. As a result, these types of attacks are “particularly effective against systems with weak passwords or other vulnerabilities”; the weaker the password, the easier it is for a hacker to brute force their way into an account (Wickramasinghe). Brute force attacks still remain a semi-popular option since “many people still use weak passwords, such as ‘password123’ or ‘1234’, or practice poor password etiquette, such as using the same password for multiple websites” (Fortinet). There are many different types of brute force attacks, each varying in their level of sophistication.

Traditional Brute Force Attacks

The most basic type of brute force attack is often referred to as a simple brute force attack, which is “when a hacker attempts to guess a user’s login credentials manually without using any software” (Fortinet). During this type of brute force attack, a hacker will “work through all possible combinations hoping to guess correctly” (Kaspersky). Essentially, the hacker will try, over and over, different combinations of an account’s password until they find the correct one or decide to move on to another account. If this sounds like it would be time consuming, that is because it is. As a result, most hackers will often only use a simple brute force attack “as a last resort since they can be time-consuming and may not always be successful” (Wickramasinghe).

More frequently, hackers will utilize special types of software that can “try a vast number of combinations in a short period of time” (Wickramasinghe). This makes it much easier for a hacker to conduct brute force attacks, since they can set up multiple devices with this software and try to force their way into multiple accounts at once. Many brute force applications “use rapid-fire guessing that is built to create every possible password and attempt to use them” (Kaspersky). Theoretically, a brute force attack using software, “if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password” (MITRE).

Fortinet outlines the following tools as commonly-used to perform brute force attacks:

Aircrack-ng: A suite of tools that assess Wi-Fi network security to monitor and export data and attack an organization through methods like fake access points and packet injection.

John the Ripper: An open-source password recovery tool that supports hundreds of cipher and hash types, including user passwords for macOS, Unix, and Windows, database servers, web applications, network traffic, encrypted private keys, and document files.

Fortinet

Additionally, in some cases, hackers may use social engineering or perform research on their target to help narrow down the list of possibilities. Sometimes, all it takes is “minimal reconnaissance work to crack an individual’s potential password” since it is possible that the victim’s password is as simple as “the name of their favorite sports team” (Fortinet).

Dictionary Attacks

While some disagree on whether a dictionary attack is a type of brute force attack, it is executed just like a brute force attack. Essentially, the hacker “tries each of the words in a dictionary as passwords to gain access to the system via some user’s account” (MITRE). Instead of trying every possible password combination, the hacker will limit their guesses to “all words in the dictionary, as well as common misspellings of the words” in an attempt to break into an account (MITRE). Aside from saving the hacker time, a dictionary attack allows for a more customized approach to a brute for attack. For example, if a hacker were targeting accounts on a website related to sports, they might create a list of dictionary words related to sports, including team names, and use that customized list to try and break into the accounts. Not only is the name of a sports team easier for a user to remember, it is also relevant to the website, making it a prime candidate for an easy-to-guess password.

Kaspersky notes that brute force software “can find a single dictionary word password within one second”. Additionally, many hackers will also include common misspellings or alterations of words when performing dictionary attacks, so simply swapping out a character or two, while more secure, might not be enough to keep your account safe. Thus, it is best to use a longer password than a simple word or two and one that includes multiple symbols and numbers.

Reverse Brute Force Attacks

Aside from traditional brute force attacks, there is a type of brute force attack known as a “reverse brute force attack” that hackers may make use of. As the name implies, this type of attack involves the hacker working backwards to breach an account. They “begin the process with a known password, which is typically discovered through a network breach. They use that password to search for a matching login credential using lists of millions of usernames” (Fortinet). Thus, instead of targeting a specific account and trying to crack the associated password, the hacker begins with a known password and then tries to figure out which account(s) it is associated with. This is why it is extremely important to change your password to any accounts that may have been involved in a data breach as soon as possible.

Password Spraying Attacks

A password spraying attack is very similar to a reverse brute force attack. Instead of having one specific password that the hacker has recovered, the hacker will often try “several commonly used passwords against many accounts instead of trying all the possible combinations of characters. Password spraying attacks are often successful as many people use the same password for multiple accounts” (Wickramasinghe). For example, a hacker may create a list of commonly used passwords (such as “password”, “1234”, “abc”, “admin”, the names of sports teams, or the names of popular celebrities) and then try to log into various accounts using these passwords.

Credential Stuffing Attacks

Once a hacker has gained access to the correct password to an account, they can perform another type of brute force attack to try and compromise more accounts: credential stuffing. The hacker will “collect username and password combinations they have stolen, which they then test on other websites to see if they can gain access to additional user accounts. This approach is successful if people use the same username and password combination or reuse passwords for various accounts and social media profiles” (Fortinet). Thus, it is extremely important to never reuse a password across different accounts, and, when updating your password, to try and select something entirely different from any passwords you have previously used.

What Happens if a Hacker Gets Into my Account?

The amount of damage a hacker can do if they break into your account depends on what type of account they gain access to and what their motive is. As noted by Kaspersky, “breaking into online accounts can be like cracking open a bank vault: everything from bank accounts to tax information can be found online” (Kaspersky). In some cases, the hacker may be hoping to obtain this valuable information for themselves; after all, gaining access to someone’s bank accounts is an easy way to get extra cash. Alternatively, some hackers will opt to “sell that information to third parties for profit, with little regard for the harmed individuals” (Wickramasinghe). Bank accounts are not the only types of accounts a hacker will target, though. If you have a social media profile with a high number of followers, a hacker may try to break into your account and then sell it to someone else who will use the already high follower count to their advantage.

Hackers may also attempt to break into your account to “create havoc and showcase their malicious skills”, and may then use your account as a way to try and hack into other people’s accounts (Fortinet). For example, after gaining access to your account, the hacker may pretend to be you and send messages to your friends with links that lead to malware, such as with the “Look Who Died” scam.

The harm a hacker can cause a business by using brute force attacks is quite similar. Generally, brute force attacks “are often launched in an attempt to steal data from an organization, which not only costs them financially but also causes huge reputational damage” (Fortinet). A hacker that gains access to an employee’s account can possibly use that access to steal sensitive information from the company, especially if that employee happens to have a high level of access. This is why the principle of least privilege is important; if a user does not need a given level of access, they should not have it. That way, if a hacker does break into that user’s account, the damage they can cause is lessened. Furthermore, a hacker could hijack a company’s social media account to create offensive, crude, or harmful posts, which would cause harm to the company’s reputation and, in turn, lead to a loss in profits.

How to Stay Safe from Brute Force Attacks

Since brute force attacks almost always target weak passwords, the best way to stay safe against a brute force attack is to create as strong a password as possible. Both password length and password complexity play a role in thwarting brute force attacks. The longer a password is, the more possible combinations of characters it can be; for example, if your password was only one letter long, it would only take 26 tries to guess, but if it were 10 letters long, it would take a lot longer! Similarly, the more complex a password is, the more possible character options there are for hackers to have to guess. Overall, the “goal is to make sure your password slows down these attacks as much as possible, because if it takes too long for the breach to be worthwhile… most hackers will give up and move on” (Kaspersky). After all, if a hacker had to choose to guess either a password that is only one lowercase letter or a password that is a combination of twelve letters, numbers, and symbols, the hacker will most likely opt for the easier route.

When choosing a password, it is best to avoid simple or commonly-used passwords. Passwords such as “a name, sports team, or simply ‘password,’ are extremely risky. Hackers know common words or phrases that people use in their passwords and deploy tactics based around these common words to hack into people’s accounts”, such as dictionary attacks (Fortinet). While it may be more convenient to choose a simple password, it also makes your account a lot less secure. Furthermore, simply picking a common password and swapping one letter for a symbol (for example, p@ssword) does not protect you from dictionary attacks; hackers will often include alternate versions of dictionary words as part of their list of possible passwords.

Even more effective than passwords are a “passphrases”, which “are multiple words or segments with special characters that make them more difficult to guess” (Fortinet). Instead of choosing the password “hotdog”, you could instead choose the passphrase “hotdogwithmustardandrelish”, which is still easy to remember but also quite lengthy, giving it some extra strength. Furthermore, Kaspersky recommends that, “[w]hen taking the passphrase route, consider using truncated words, like replacing ‘wood’ with ‘wd’ to create a string that makes sense only to you. Other examples might include dropping vowels or using only the first two letters of each word”. For example, we could take “hotdogwithmustardandrelish” and drop all of the vowels, giving us “htdgwthmstrdndrlsh”. We can replace the “nd” with the ampersand symbol and add in a number or two to further increase the complexity: “htdgwthmstrd&rlsh12”.

Additionally, never reuse a password. Reusing a password can make your accounts vulnerable to credential stuffing attacks which are unfortunately “highly successful as people frequently reuse their passwords for email accounts, social media profiles, and news websites” (Fortinet). Even though it might be easier to remember just one password for all of your accounts, it also creates a single point of failure for all of your accounts. However, if you would prefer to remember as few passwords as possible, a password manager application might be the solution for you. A password manager “automatically creates and tracks users’ logins to multiple websites, enabling the user to access all their accounts by simply logging in to the password manager. With a password manager, users can create long and complex passwords, securely store them, and not run the risk of forgetting, losing, or having passwords stolen” (Fortinet). That way, you theoretically need to create one extremely strong password to access the password manager and all of your other accounts.

Finally, Fortinet outlines steps that can be taken for organizations to help prevent user accounts from being compromised by brute force attacks:

Use high encryption rates: Encrypting system passwords with the highest available encryption rates, such as 256-bit, limits the chances of a brute force attack succeeding and makes passwords harder to crack.

Salt the hash: Salting the hash is a cryptography tactic that enables system administrators to strengthen their password hashes. They add a salt—random letters and numbers stored in a separate database—to a password to strengthen and protect it.

Use multi-factor authentication (MFA): When you add authentication to a user login, you take the dependence away from passwords. With MFA, after a user logs in with their password, they will be prompted to provide additional proof that they are who they say they are, such as a code sent via SMS or on their device or a fingerprint scan. This can prevent a hacker from gaining access to a user’s account or business system even if they have the user’s login credentials.

Limit login attempts: Limiting the number of times a user is able to re-enter their password credentials reduces the success rate of brute force attacks. Preventing another login attempt after two or three failed logins can deter a potential attacker, while locking down an account completely after numerous failed login attempts stops the hacker from repeatedly testing username and password combinations.

Use CAPTCHA to support logins: Adding a CAPTCHA box to the login process can prevent an attacker from using computers to brute force their way into a user account or business network. CAPTCHA options include typing text images that appear on the screen, checking multiple image boxes, and identifying objects that appear.

Use an Internet Protocol (IP) blacklist: Deploying a blacklist of IPs used in attacks helps protect a business network and its users from known attackers. It is important to keep this blacklist up to date to prevent new attacks.

Remove unused accounts: Unused or unmaintained accounts offer an open door for cyber criminals to launch an attack against an organization. Businesses must ensure they regularly remove unused accounts or, ideally, remove accounts as soon as employees leave the organization to prevent them from being used in a brute force attack. This is especially important for employees with high-level permission status or access rights to sensitive corporate information.

Fortinet

Resources & Further Reading

Fortinet. “What Is Brute Force Attack? | Definition, Types & How It Works.” Fortinet, Fortinet, Inc., www.fortinet.com/resources/cyberglossary/brute-force-attack.

Kaspersky. “Brute Force Attack: Definition and Examples.” Kaspersky, AO Kaspersky Lab, 19 Apr. 2023, usa.kaspersky.com/resource-center/definitions/brute-force-attack.

MITRE. “CAPEC – CAPEC-16: Dictionary-Based Password Attack (Version 3.4).” Capec.mitre.org, The MITRE Corporation, 23 June 2014, capec.mitre.org/data/definitions/16.html.

—. “CAPEC – CAPEC-49: Password Brute Forcing (Version 3.4).” Capec.mitre.org, The MITRE Corporation, 3 June 2014, capec.mitre.org/data/definitions/49.html.

Wickramasinghe, Shanika. “Brute Force Attacks in 2023: Techniques, Types & Prevention.” Splunk Blogs, Splunk LLC, 28 May 2024, www.splunk.com/en_us/blog/learn/brute-force-attacks.html.