Brute-Force Attacks: What You Need to Know
5 Min. Read | May 31, 2022
As cybersecurity defenses have hardened in terms of perimeter defense and threat detection, attackers have returned to one of their oldest exploits: password-based attacks. The major SolarWinds attack in 2020, which infiltrated the Pentagon, Microsoft and Intel among other high-value targets, utilized simple brute-force attacks to escalate penetration.
Security researchers have also noted dramatic increases in the scale of different types of brute-force attacks, particularly those targeting RDP services used by remote workers. Security firm ESET found 206 billion RDP brute-force attacks in the last 4 months of 2021; an increase of 274% over the previous period. Once an attacker gains access via RDP, they can take over the account and access any systems or data that the account owner could. If they gain administrator privileges, they could even disable security software, install malware, steal confidential data and additional credentials, and more.
Types of Brute-Force Attacks
Brute-force attacks on authentication come in a variety of forms. Here, we’ll look at several different types of brute-force attacks, how they work and what you can do to stop them.
Simple Brute-Force Attacks
In the most basic form of a brute-force attack, the hacker systematically tries every possible combination of words, letters and characters until a match is found. Originally performed manually, attackers now use automation tools to rapidly run through the permutations.
In this type of attack, a hacker uses a predefined list of possible passwords and runs through them all. This dictionary of terms will usually include the most common passwords and terms, including those taken from security breaches leaked online, but could be tailored to a region, industry or organization in order to have a higher probability of success. In combination with all terms in the dictionary list, the attackers will also include standard augmentations, such as numbers, capitalized first letters or symbols so they cover the most common variations of a password.
Hybrid Brute-Force Attacks
Here hackers will integrate outside information along with brute-force guesses to narrow their focus and speed up their attack. For example, if they know that the password for the target account must have a capitalized letter, number and symbol, hackers can exclude everything without that and increase the number of blended passwords they try first. Starting with the most basic, like “123Abc” or “Qwerty123” (which are actually very common), they gradually add layers of complexity to their combinations.
Reverse Brute-Force Attacks
This takes the opposite approach of the logic applied to many of common brute-force attacks. Instead of having a username and attempting to find a password, the attacker begins with a common password and tries to find a username that fits it. Lists of usernames, account names and email addresses are commonly available online for very low prices.
Credential Stuffing Attacks
As many people reuse the same username and password combination across multiple accounts, hackers can use this to try and brute-force access. Typically the username and passwords from one major data breach (such as the 2013 Yahoo breach which affected three billion accounts) will be released online or on a dark web marketplace. Attackers will then “stuff” these combinations into hundreds of different locations to see if any work.
Different Types of Brute-Force Attack Tools
All the different types of brute-force attacks on credentials play a big numbers game. Entering each password or credential combination manually could take years, so hackers have developed a number of tools that significantly decrease the time investment.
Automated Brute-Force Attacks
A number of software tools exist online which rapidly attempt every single password possible for an account. The more pieces of information the attacker has, such as minimum length, necessity of certain characters or potential language, the better the tool will be at focusing its attack. Time lengths between guesses can also be inputted to defeat a “too many guesses too quickly” defense.
It's common for the different types of brute-force attack tools to utilize VPNs and other web protocols to mask the fact that all of the attempts are coming from a single user.
Leveraging Known Algorithms
Many 2nd-generation default passwords (i.e., a level higher than “0000”) for internet hardware were created by very simple algorithms connected to the stated device number. This meant that hackers were able to reverse engineer the algorithm and create simple programs allowing anyone to hack into those modems and routers. The same logic applies to rainbow tables of known hash functions, which greatly narrow down potential passwords for a brute-force attack.
Graphics processing units (GPU), better known for improving gaming performance or mining crypto, are hackers’ hardware of choice for cracking passwords. The reason for that is that while a CPU may have 32 cores a GPU will have thousands which can be independently set to uncover hashed passwords. This greatly speeds up brute-force attacks and is the benchmark used for calculating the strength of passwords, such as Hive Systems' well-known table.
How to Defend Against Different Types of Brute-Force Attacks
As can be seen from the Hive Table above, an 8-figure numeric or alphabetic-only password will be cracked instantly. If numbers, upper and lowercase letters and symbols are used, password cracking can take up to 39 minutes. Basically, as brute forcing gets easier, passwords must keep getting increasingly complicated, leading to lost passwords, user frustration and more time wasted on authentication.
The solution to defending against different types of brute-force attacks then is obvious: getting rid of passwords. This is not as complicated as it sounds, and best practices for strong multi-factor authentication (MFA) already recommend the use of possession (personal device or authentication keys) and inherence (biometric features like fingerprints or retina scans) factors rather than shared knowledge to prove identity.
HYPR’s passwordless multi-factor authentication (PMFA) solution provides uncompromising security around authentication by completely removing shared secrets from the login process. It also provides a better, faster experience for your users, turning their own smartphone into a secure, easy-to-use FIDO token.
To learn more about passwordless authentication and what to look for in a PMFA solution, download our Passwordless Security Evaluation Guide.