Brute Force Attack
Home > 
Brute Force Attack
< back

Brute Force Attack

What is Brute Force Attack

Brute force attack is the crack of credentials using all possible combinations by trial-and-error method until the password is guessed correctly. As the number of possible combinations which the attackers need to test depends on the length and complexity of the passwords, automation tools and scripts are usually employed. Brute force attack is mostly performed by bots nowadays.

Upon successfully cracking the passwords, attackers can get access to the system and perform other malicious activities such as exhausting the resources of the system, harvesting personal and sensitive data for selling, imitating legitimate users to launch phishing attacks, spreading malware to infect more systems, etc.

Types of Brute Force Attack
Simple Brute Force Attack
Simple brute force attack is simply to guess all possible passwords. This attack method works on weak passwords such as “123456”, “111111” and “abcdef”, etc. The common and yet weak passwords are published regularly and can easily be brute forced.
Dictionary Attack
Dictionary attack tries to guess the password by using combinations of words and phrases from the dictionary. Launching dictionary attack manually is not realistic due to the massive amount of the combination of words. Tools are usually involved to accelerate the process. Enhanced features in the tools like interchanging similar characters such as “l” and “1”, “O” and “0”, “a” and “@” can be found nowadays to increase the prediction successful rate.
Hybrid Brute Force Attack
Hybrid brute force attack is the combination of simple brute force attack and dictionary attack. Based on the words or passphrases in dictionary, attackers may enhance their guesses by adding patterns similar to that of simple brute force attack. A common combination will be numbers. People tend to add number at the end of password which is significant to them like birthday, birth year or anniversary date such as “password1990” or “picture0531”. Attackers may also enhance the list of words in their dictionary by incorporating some popular objects. These words may vary with time or region. Examples include cities, sports teams and idols, etc.
Reverse Brute Force Attack
Reverse brute force attack begins with running a known password against numerous possible user names. The known passwords are those commonly used by the people or those leaked from data breaches.
Credential Stuffing
Attackers use known user name-password pair, collected by previous data breaches, to try to login to other systems. This approach targets users who re-use the same user name and password across multiple systems and services.
Potential impact of brute force attack

Brute force attack is usually the first step for an attacker to get unauthorised access to the target system. Subsequently other adversary actions can be performed and the followings are some possible impacts that may be inflicted upon the victims:

Attackers can resell the harvested login credentials and/or personal and sensitive information to third parties;
By exploiting the breached accounts, attackers can manipulate the account to spread malware, spam content or phishing links;
Attackers can exhaustively consume system resources for malicious purposes such as crypto-mining;
If a privileged account is compromised, consequences such as website defacement, disruption of services and information leakage may happen. This can lead to financial loss or even reputation damage to an organisation; and
Brute force attack can also be a means to discover vulnerabilities of a system, which the attackers may further drill down to infiltrate the system and compromise data.
How to identify Brute Force Attack

For user:

If you are notified via email or SMS by the service providers that a login attempt has been detected in location or at time which you cannot recognise, this is a sign that someone is trying to brute force their way into your account and you should change your credentials or enable multi-factor authentication immediately if available.


For system administrator:

To get notified of a brute force attack timely, the following conditions of the systems should be monitored as it can be a signal of alert:


Multiple unsuccessful login attempts within a short span of time;
Login attempts with various usernames from the same IP address;
Login attempts with a single username from different IP addresses; and
Unsuccessful login attempts with alphabetical or numerical sequential pattern.
How to Prevent Brute Force Attack

For user:

Use strong password
A simple but effective way to defend against brute force attack is to set a strong password. The longer and more complex the password, the stronger it is. Creating a long password with the combination of upper and lower case letters, numbers and symbols will increase the difficulty of brute force attack. Besides, you should avoid using a dictionary word and should not include your personal information such as birthday, birth place and name in your password.
Do not reuse password
It is always a good practice to use different passwords for different services. If one of your passwords is unfortunately breached, at least your other accounts will be safe from credential stuffing attack.
Adopt multi-factor authentication
Multi-factor authentication adds an additional line of protection to your accounts. Commonly used authentication methods other than passwords include one-time password, token and biometric authentication (fingerprint or facial recognition). Even if the attackers have successfully brute forced your password, they cannot get access to the system without passing the other authentication methods.

For system administrator:

Allow limited password attempts
Accounts should be locked after a certain number of failed logins to prevent unlimited trials. Unlocking the locked accounts should be performed by the system administrator after a proper authentication check with the user. If locking accounts is not feasible in some systems, compensation measures should be considered and implemented. Alternatives can include introducing locking timers after several failure logins. This can at least delay the brute force attack.
Implement captcha
Captcha works by requesting the login user to perform actions which only human will be able to do. Examples include identifying distorted letters and numbers, recognising objects in the images, ticking checkbox, etc. Embedding captcha in the login systems can help differentiate between a human user and an automated robot, which can eliminate the use of bots to initiate brute force attack.
Limit the logins from a specified range of IP addresses
Restricting the IP addresses within a specified range to login to the system can prevent unwanted IP addresses from getting access to the system.
Assign unique login URL
Providing different URLs for each user or groups of users may delay the pace of brute force attack and hence increase the cost for attackers.
Store salted password hashes on servers
Salting hash refers to adding random characters to the input of password before hashing it. When some common or identical passwords are used by the users, the hash outcome will be different, making it difficult for the passwords to be revealed immediately even when your databases are compromised accidentally.
Monitor system log
It is crucial to keep an eye on the server log to observe any abnormal login attempt. This can help detect any brute force attack activities in early stage.
Timely remove / revoke user accounts
Permissions of an account should be granted with the least privilege principle. Upon a change of responsibility or termination of a user, the access rights should be adjusted or the accounts should be revoked. Orphan accounts and access rights misconfigured accounts are loopholes for a system and may lead to data exposure.
Perform periodic review on user accounts
Regular review of the list of user accounts can help identify unmanaged accounts, especially the privileged ones, which are the vulnerabilities of your systems.
Enhance awareness of staff
Human is the weakest link in security. That is why it is always crucial to keep the staff aware of the risk of brute force attack and the importance of having a strong password. Organisations may also consider stipulating security policy and provide proper guidance to the staff.
Extended Readings
Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - Personal Internet Service Account Security Management Guideline
The Open Web Application Security Project - Brute Force Attack
The Open Web Application Security Project - Blocking Brute Force Attacks

Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before download and use them.