What is a brute force attack? Meaning, protection & prevention
You have probably heard about the importance of having long, complex passwords to protect you from “brute force attacks.” But what exactly does that mean – and is it as dangerous as it sounds? Today, our blog explains this hacking method and how a brute force attack can be prevented.
by Alyssa SchmittWith the right software, a hacker can crack an 8-letter password in a matter of seconds
One way hackers try to gain access to an online account is by cracking the password. In a brute force attack, they use trial and error to try to guess a password. But usually not by sitting and typing in their guesses one by one. Instead, in brute force attacks, cybercriminals use programs and tools that systematically test combinations of numbers, letters, and other characters to crack passwords or decrypt data. So, it’s trial and error on a grand scale.
How does a brute force attack work?
It’s called “brute force” because of the extremely forceful methods hackers use in these attacks. High-performance computers running special software try out thousands of character combinations per second. In some cases, these tools will simply test all possible combinations of characters; in others, lists of common passwords or words from a dictionary will be tried in rapid succession. This can include common number-for-letter substitutions, like zero for the letter O – so, the program would not only try “noodle” but also “n00dle”.
How long does it take to crack a password?
Brute force is a highly effective method for cracking weak passwords. A short password, for example, is particularly vulnerable to a brute force attack. This is because the longer and more complex a password is, the more possible combinations of characters there are, and therefore it takes an exponentially longer time to try them all out. According to Hive Systems, in 2024 a five-character password consisting of only lowercase letters would take only 4 seconds to crack using the method in their study, while a 12-character password containing random numbers, upper- and lowercase letters, and symbols could take up to 164 million years.
Types of brute force attacks
Cybercriminals employ several types of brute force attacks to hack into accounts, including:
Simple brute force attacks use an old-school approach without any special software. The hacker simply tries out common, weak PINs and passwords that are still unfortunately used by many people today – like “QWERTY” or “12345678”. After a little social media sleuthing, they may also try to logically guess a password based on the user’s year of birth, favorite sports team, etc.
Dictionary attacks sequentially try all the words in a dictionary in an attempt to discover the password.
Reverse brute force attacks tackle the problem from the other end, taking a commonly used password like “Password123” and trying to match it in a database or list of usernames.
Credential stuffing takes the brute force attack a step further – once the hacker has discovered valid combinations of usernames and passwords, they test them on other websites to see if they have been reused there.
What is the point of a brute force attack?
Maybe you are wondering why a hacker would spend all those resources to get into one of your online accounts. Cybercriminals may be out to:
Steal personal data so they can commit identity theft
Steal money or assets by gaining access to online financial accounts
As an individual user, the best way to protect yourself against brute force attacks is to follow strong password best practices.This includes:
Use long, complex passwords: Although most websites only have a minimum requirement of eight characters for passwords, you should aim to use at least 12 – and go up to 18 or 20 if possible. Using a mix of upper- and lowercase letters, numbers, and symbols also vastly increases the time it takes to crack a password.
Use passphrases: If you have trouble remembering a string of random numbers and letters – and who wouldn’t? – you can instead create a passphrase of several random words, like “Window-yarn-petunia-lamppost.” Using a series of words thwarts a simple dictionary attack.
Avoid common passwords: Frequently used passwords, or passwords that have appeared in a data leak, are commonly used by hackers in brute force attacks. This not only includes “Password123”, but names of sports teams, cities, superheroes, common first names and pet names, etc.
Use unique passwords for every account: Once they have discovered a password, hackers often test it on other websites to see if it has been used there as well. This is why it is important never to use the same password for any two online accounts, especially with the same (or similar) username.
Use multi-factor authentication: Don’t rely on your password alone to protect your accounts. Multi-factor authentication (MFA), also known as two-factor authentication (2FA) requires added proof of identity when logging in – a fingerprint or face scan, a code sent by text message, an authenticator app, etc. This keeps the hacker out of your account even if they crack your password.
Set up a password manager: If you are tired of trying to remember and keep track of all of your long, complex, unique passwords, let technology work for you. Take the time to research and set up a reputable password manager, and from then on you will be able to log in to all of your accounts by simply logging in to the password manager.
Check the security practices of online companies where you have accounts. Nowadays, reputable online companies who are concerned about their customers’ safety will take measures to prevent brute force attacks. This includes limiting the number of attempts allowed to enter the correct password, offering (or requiring) MFA, and using CAPTCHA in the login process.
