A brute force cyberattack can be used to guess passwords, as well as other credentials, via a process of trial and error that eventually leads to forced entry into a site, account, or database. Typically, these attacks will test different combinations of phrases and characters until the correct combination is determined.
Whilst brute force attacks are hardly the most sophisticated digital threat, they're still reliable, and can be easily automated. In fact, Verizon confirmed that 80% of the breaches that occurred in 2020 involved a brute force attack of some sort.
So, how do these attacks happen, and what can be done to prevent them?
What is a brute force attack
Imagine that you're a thief trying to figure out the combination to a padlock. Without any clues or hints about what the correct combination could be, you're pretty much left to figure it out yourself, right? You could guess at random or you could start from "0000". Either way, that's basically a brute force attack.
These cyberattacks try to "force" entry into accounts in a relatively unsophisticated manner. Brute force attacks have been around for a while, and will continue to be a threat so long as people are using weak passwords.
Passwords are often the target of a brute force attack, which will test various combinations of common phrases, characters, symbols and dictionary terms until a match is found and access (to the site in question) is granted. Brute force attacks can also be used to crack encryption keys or sniff out hidden web pages.
The simplistic nature of these attacks makes them remarkably easy to automate with scripts or bots – you don't have to be a tech wizard to set them up, either, or even search hard to find the necessary tools. With an automated system, an attacker could target a specific login page or user and test thousands of potential passwords in seconds... all whilst they scroll through Twitter on another monitor, or check out what's new on Netflix. It's even possible to have multiple brute force attacks running at once!
Luckily for us, brute force attacks take time. Testing all those potential passwords is a time-consuming process. This is especially true if the password is complex – the longer the password, the harder it is to crack, and it's more likely that an attacker will get bored and give up.
As a result, these attacks tend to be more effective when solving short passwords, though there are different types of brute force attacks that do better when pit against secure credentials – and I'll get to those a bit later.
Imagine that you're trying to unlock that padlock again. Testing each combination manually is an enormous commitment... and probably a last resort. Brute force attacks are similar, in that the crooks behind the attempts are often working without any clues or additional software to help them decipher the correct combination of credentials.
What is an encryption key?
Brute force attacks can also decipher encryption keys, but it's a much harder ask, seeing as modern encryption keys are largely considered impossible to crack.
An encryption key is a random string of bits that's used to scramble and unscramble data – keeping it nice and private. Once your data has been scrambled, it's effectively unreadable to anyone who happens across it... unless they have your encryption key. Fortunately, cracking most encryption keys would take more time than the universe has existed for, and I'm pretty sure nobody has that much free time.
Types of brute force attack
Cyberthreats are constantly evolving in order to keep up with the tech we use and the methods in which we secure it, and brute force attacks are no exception. Below, you'll find some of the more commonly used types of brute force attack, and though they vary a little in their execution, they all share the same trial-and-error methodology.
Simple brute force attack
This is the most basic form of brute force attack, which attempts to decipher a password via a laborious process of trial and error, and all without any outside help or hints – that means no assistance from supplemental software, data breaches, or known vulnerabilities that could be leveraged in the hacker's favor.
You might not think that this sort of attack would be viable in 2024, but a shocking amount of people still use very basic, insecure passwords. These are exactly the sort of passwords that a simple brute force attack is adept at cracking. Simple brute force attacks can also be used to crack local files, where there are no limits to how many times you can input a password attempt.
Dictionary attack
Dictionary attacks are a little more sophisticated than the garden variety brute force attack, but are still considered rudimentary when compared to other cyberattacks, like worms, ransomware, and DDOS attacks.
During a dictionary attack, a cybercriminal will pick their target and use lists of common password phrases to try and force entry. Whilst this method is more specific than searching random combinations of letters and numerals, there are still countless phrases and dictionary words that could feasibly make up a password. So, some cybercriminals work from lists of passwords and credentials acquired from past data breaches. These lists are vast, however, and dictionary attacks are still a massively cumbersome time commitment.
Hybrid brute force attack
You might've guessed it, but a hybrid brute force attack combines the methods of dictionary and simple attacks, making small modifications to the phrases or dictionary terms being used to attempt a forceful login. Typically, a cybercriminal undertaking a hybrid attack will already know the username of the account they're trying to crack, and will once again rely on lists of previously leaked passwords.
However, a hybrid attack involves changing a few characters each time. This is particularly useful if the hacker suspects that the password combines words with random symbols and numbers, and comes in handy during credential stuffing attacks, where a hacker may have to account for a user slightly adjusting their password over a period of time.
Reverse brute force attack
When an attacker knows your password, but not your username, they could potentially launch a reverse brute force attack. Sometimes the attacker will even pull from commonly used passwords or a list of credentials previously leaked in a breach, and use that information to search for matching logins against lists of usernames.
Just like with a regular brute force attack, the attacker's bots or scripts will then test usernames against that password until the correct combination is found. Unfortunately, "password", and weak variations of the phrase, is still a shockingly common password, which makes this sort of attack astoundingly successful, even today.
Goals of a brute force attack
So, knowing now that brute force attacks are pretty cumbersome, time-consuming, and dated modes of cyberattack, you might wonder what the point of launching one would be? What does a hacker stand to gain by going through all that trouble?
The answer, unfortunately, is quite a lot. A successful brute force attack will mean that the attacker can:
- Access your personal account and data
- Access your system and disrupt it by injecting malware
- Propagate malware across the web
- Sniff out hidden web pages and target vulnerabilities
- Edit sites (with text, images, adult content, or offensive material) to slander owners or businesses
- Generate revenue through spam ads placed on sites
- Reroute web traffic to ad sites
How to prevent brute force attacks
It's not all doom and gloom! Brute force attacks might be deceptively effective when they're successful, but they're also pretty easy to deter – you'll just need to take a proactive approach to your digital privacy. I've listed some of the best, and easiest, ways to avoid being the victim of a brute force attack below.
Use a complex password
This one's first on the list because it's a no-brainer. The longer your password is, the harder it's going to be for a brute force attack to crack it – there are simply more potential combinations with a longer password, right? As such, I'd suggest making all your passwords at least ten characters long, and I'd also suggest that you sprinkle in some numbers, special characters, and capital letters to make it more secure and a hacker's job that much harder.
Don't be obvious
If your password is "password", or any variation of the word, then you have a problem. These obvious passwords are the very first things that hackers guess when initiating dictionary attacks, and so you'll want to stay as far away from common password phrases as possible! You'll also want to avoid using single-word passwords. Consider splicing two or more words, in addition to adding those special characters I mentioned earlier, for a password that's truly tough to crack.
Consider a password manager
Obviously, one reason why people opt for weak passwords in the first place is that they're easy to remember. If you're using a different password for all your accounts (which I strongly recommend!), then you can quickly find yourself with dozens to keep track of, and you might even run out of ideas for strong passwords. Fortunately, password managers can handle all this for you for a small monthly fee. They'll keep track of all your logins, generate super secure passwords at the click of a button, and can even remind you to switch them up on a regular basis.
Opt-in for two-factor authentication
Most sites and services now offer 2FA (two-factor authentication), which is a great boost to your digital privacy and well recommended! When you enable 2FA, you'll need to provide extra evidence of your identity before you login to a site. This sometimes means verifying your identity via a companion app or inputting a single-use code that's been texted to you; either way, it makes it way harder for a hacker to access your account, as they'll be unable to provide that extra verification even if they happen to have your password and username!
Final thoughts
It's easy to dismiss brute force attacks as an outdated, outmoded threat of a bygone era, but that's a risky attitude to have! Plenty of cybercriminals still use the method to systematically crack passwords and steal user data. It's a slow process, but it'll be a successful one so long as people aren't properly securing their accounts.
So, make sure your passwords are up to scratch and make sure you change them regularly – and check out a password manager if you need an extra helping hand.