Brute Force Attacks

Written by: Jack Loomis, Cyber Security Specialist

Brute force attacks are used my malicious hackers in an attempt to log in to a victim’s account by guessing password combinations. While you may think that this would take a long time – there could be millions, or even billions of different password combinations – in reality, it’s nowhere near as long as you would think. Hackers attempting a brute force attack are not individually typing passwords in, one by one, hoping to eventually find the correct one. Instead, they employ a wide range of various tools that allow the computer to do this for them. What you might think would take days, weeks, or months can instead be tracked in seconds and minutes.

Having been trained in penetration testing myself, I can attest just how quickly a weak password can be cracked. I set up labs at home all the time while training myself how to use these tools for defense purposes. For example, a user who chooses a password like ‘password’, ‘Password’, or anything else simple like this, can be cracked in less than one second. How is this accomplished you may ask? Dictionary attacks.

A dictionary attack is when a hacker uses a long word list of some of the most commonly used passwords. These lists are not hard to find at all. In fact, a simple google search of the most used passwords will return results that these hackers will then store in their wordlist when using password cracking software. When the hacker executes the application, it sends hundreds of attempts per second, going down the list of possible passwords, until it finds the correct one. Once a hacker has access to that password however, it doesn’t end there.

Credential stuffing is the process where a hacker will use credentials that they have gained for one victim’s account on a wide range of other accounts. For example, let’s say I found the password to your Facebook account. How many other sites do you use that same password with? As a hacker, I would instantly begin attempting that password on all of the other sites I know you use, because it’s likely that the password I’ve gained – or some minor variation of it – is the same that you’re using on your bank accounts, email, etc.

So how do you protect yourself from these easy-to-accomplish attacks? Here are a few tips:

• Never use weak passwords. The less “normal” your password is, the better. This means utilizing special characters, numbers, and a range of upper and lowercase characters.
  • In all reality, these passwords can still be cracked. My utmost recommendation would be to use a password manager. At Southshore, we utilize MyKi. LastPass and Bitwarden are a couple of other good candidates that will randomly generate a password for you and then store it so you don’t have to remember it again later.
• Enable account lockouts, if available. A lot of sites already have this feature, but it may not be turned on by default. This will lock your account after enough incorrect login attempts have been made.
• Use Multi-Factor Authentication. By turning on MFA for your accounts, you require an additional step in order to log in to your account. This means that even if someone gains access to your password, they can’t access your account without that extra step.

If you have any questions about brute force attacks, other cyber attacks, or want to just gain more information about cyber security in general, please contact Southshore Managed IT Group at (219) 226-3386.