How Does Brute Force Attack Work
Brute force attack is one of the oldest hacking methods, yet still one of the most popular and most successful ones. With computers and technologies evolving as fast as they are, bruteforce attacking is now fairly easy to run and more difficult to protect against.
Brute force attack definition
So, what is brute force exactly? Brute force definition can be given as such — it is a type of cryptanalytic attack that uses a simple trial and error, or guessing method. In other words — a criminal gains access to a user’s account by guessing the login credentials.
Sometimes, brute force attacks are still done by hand, meaning that there’s an actual person sitting in some basement and playing a guessing game with your credentials. But, more often than not these days, the hackers use a brute force algorithm, or brute force password cracker, which is, basically, a bot that submits infinite variations of username/password combination and notifies the hacker when it gets in.
What is bruteforce attack with examples
Brute force has been around ever since coding was invented. Naturally, the public’s been informed about some high profile attacks over the years. Though we can safely assume we do not know about a lot of the ones in the past and ongoing break-ins.
The most well-known brute force examples are:
- the 2016 Alibaba attack, when millions of accounts were affected;
- 2018 Magento break-in that resulted in a thousand admin panels compromised;
- another rather recent example occurred in Northern Ireland, where several accounts of parliament members were compromised;
- and our favorite — in early 2018 it turned out that Firefox master password is very easy to crack with brute force, which means millions of user accounts might have been compromised over the years it’s been widely used.
So, how does a brute force attack work exactly? As we’ve already established, brute force hacking implies that someone is trying numerous combinations of username and password, again and again, and again, until they gain the desired access.
So let’s say a username is as simple as “admin” and doesn’t take too much effort to guess (we bet that’s the first one any hacker tries).
The password is a whole other story. Usually, a password requires at least 8 alphanumeric characters. There are 26 letters, if the password is lowercase and letters only (which it rarely is), so it makes for 26 possibilities for one character of the password. We can double that, because most passwords are case-sensitive. So it makes 52 possibilities for one character of a password. Add to that 10 digits and, for example, 5 special characters, and you get 67, which roughly makes 406 trillion combinations for the whole 8 characters alphanumeric password.
| Read also: How to Choose and Use Strong Passwords
How fast can a password be cracked
How long does a brute force attack take? We have 406 trillion combinations. Seams like it will take centuries to crack, right? The answer is yes, if the bot attempts a thousand combinations per second. But the technologies evolve, remember?
So, taking that into consideration, how fast can a random password be cracked? There are computers that can do a hundred billion guesses per second and get the correct password in a few hours. There are even super computers that can do a hundred trillion guesses per second, it will take them a couple of minutes to guess the correct combination. And that’s without assuming the correct combination is the 10th, or even the 110th one in the row.
Brute force attack types
Up to this point, we were assuming the hacker has to guess each and every character of the password. But that’s not always the case.
Dictionary attacks
A dictionary attack implies that a hacker has a list of commonly used passwords (password dictionary) and simply tries them all until he finds the correct one. If your password is “password”, “qwerty” or “12345678”, we have bad news for you — it will be cracked in mere seconds.
Reverse brute force attacks
As the name suggests, this type of attack uses a reverse approach. A hacker tries multiple usernames against one common password, like the already mentioned “password”, until they find the correct combination.
Continue reading on Protectimus Blog: https://www.protectimus.com/blog/brute-force-attack/
