Brute-Force Attacks: What You Need to Know

Pen HYPR Team

Clock 5 Min. Read | May 31, 2022

As cybersecurity defenses have hardened in terms of perimeter defense and threat detection, attackers have returned to one of their oldest exploits: password-based attacks. The major SolarWinds attack in 2020, which infiltrated the Pentagon, Microsoft and Intel among other high-value targets, utilized simple brute-force attacks to escalate penetration.

Security researchers have also noted dramatic increases in the scale of brute-force attacks, particularly those targeting RDP services used by remote workers. Security firm ESET found 206 billion RDP brute-force attacks in the last 4 months of 2021; an increase of 274% over the previous period. Once an attacker gains access via RDP, they can take over the account and access any systems or data that the account owner could. If they gain administrator privileges, they could even disable security software, install malware, steal confidential data and additional credentials, and more. 

Types of Brute-Force Attacks

Brute-force attacks on authentication come in a variety of forms. Here, we’ll look at the most common variants, how they work and what you can do to stop them. 

Simple Brute-Force Attacks

In the most basic form of a brute-force attack, the hacker systematically tries every possible combination of words, letters and characters until a match is found. Originally performed manually, attackers now use automation tools to rapidly run through the permutations.

Dictionary Attacks

In this type of attack, a hacker uses a predefined list of possible passwords and runs through them all. This dictionary of terms will usually include the most common passwords and terms, including those taken from security breaches leaked online, but could be tailored to a region, industry or organization in order to have a higher probability of success. In combination with all terms in the dictionary list, the attackers will also include standard augmentations, such as numbers, capitalized first letters or symbols so they cover the most common variations of a password.

Hybrid Brute-Force Attacks

Here hackers will integrate outside information along with brute-force guesses to narrow their focus and speed up their attack. For example, if they know that the password for the target account must have a capitalized letter, number and symbol, hackers can exclude everything without that and increase the number of blended passwords they try first. Starting with the most basic, like “123Abc” or “Qwerty123” (which are actually very common), they gradually add layers of complexity to their combinations. 

Reverse Brute-Force Attacks

This takes the opposite approach of the logic applied to many of common brute-force attacks. Instead of having a username and attempting to find a password, the attacker begins with a common password and tries to find a username that fits it. Lists of usernames, account names and email addresses are commonly available online for very low prices. 

Credential Stuffing Attacks

As many people reuse the same username and password combination across multiple accounts, hackers can use this to try and brute-force access. Typically the username and passwords from one major data breach (such as the 2013 Yahoo breach which affected three billion accounts) will be released online or on a dark web marketplace. Attackers will then “stuff” these combinations into hundreds of different locations to see if any work. 

Types of Brute-Force Attack Tools

Brute-force attacks on credentials play a big numbers game, where entering each password or credential combination manually could take years. To help hackers significantly decrease the time investment, hackers have developed a number of tools to assist them. 

Automated Brute-Force Attacks

A number of software tools exist online which rapidly attempt every single password possible for an account. The more pieces of information the attacker has, such as minimum length, necessity of certain characters or potential language, the better the tool will be at focusing its attack. Time lengths between guesses can also be inputted to defeat a “too many guesses too quickly” defense.

In general, brute-force attack tools utilize VPNs and other web protocols to mask the fact that all of the attempts are coming from a single user.

Leveraging Known Algorithms

Many 2nd-generation default passwords (i.e., a level higher than “0000”) for internet hardware were created by very simple algorithms connected to the stated device number. This meant that hackers were able to reverse engineer the algorithm and create simple programs allowing anyone to hack into those modems and routers. The same logic applies to rainbow tables of known hash functions, which greatly narrow down potential passwords for a brute-force attack.

High-Speed Hardware

Graphics processing units (GPU), better known for improving gaming performance or mining crypto, are hackers’ hardware of choice for cracking passwords. The reason for that is that while a CPU may have 32 cores a GPU will have thousands which can be independently set to uncover hashed passwords. This greatly speeds up brute-force attacks and is the benchmark used for calculating the strength of passwords, such as Hive Systems' well-known table.

How to Defend Against Brute-Force Attacks

As can be seen from the Hive Table above, an 8-figure numeric or alphabetic-only password will be cracked instantly. If numbers, upper and lowercase letters and symbols are used, password cracking can take up to 39 minutes. Basically, as brute forcing gets easier, passwords must keep getting increasingly complicated, leading to lost passwords, user frustration and more time wasted on authentication.

The solution to defending against brute-force attacks then is obvious: getting rid of passwords. This is not as complicated as it sounds, and best practices for strong multi-factor authentication (MFA) already recommend the use of possession (personal device or authentication keys) and inherence (biometric features like fingerprints or retina scans) factors rather than shared knowledge to prove identity. 

HYPR’s passwordless multi-factor authentication (PMFA) solution provides uncompromising security around authentication by completely removing shared secrets from the login process. It also provides a better, faster experience for your users, turning their own smartphone into a secure, easy-to-use FIDO token. 

To learn more about passwordless authentication and what to look for in a PMFA solution, download our Passwordless Security Evaluation Guide.

New call-to-action

HYPR Team

Related Content

Six of the Biggest Problems with Password Managers

The problems with passwords are numerous, both from a security and a usability standpoint. We’ve...

How to Secure RDP (Remote Desktop Protocol)

Remote desktop protocol (RDP) is a proprietary Microsoft protocol that has been packaged with...

MFA Fatigue and MFA Prompt Bombing

The term “MFA prompt bombing” is cropping up more and more in the security space, and while it...