What is a Brute Force Attack?
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
What are the goals of a brute force attack?
The ultimate goal of a brute force attack is to steal password and login credentials to gain access to online accounts. After an attacker gains access it doesn’t stop there. They may use accounts to send out spam or phishing messages to other users. Another action might be making changes to online websites in a negative way to harm an organization. Attackers might even keep login credentials with the idea to sell them to third parties.
What are some types of brute force attacks?
There are multiple ways for an attacker to carry out a brute force attack. One way is through a dictionary attack. The method used here is trying hundreds, or thousands, of words found in a dictionary as the password for someone’s account. As you can imagine, this method is getting a little outdated due to the amount of effort it might take.
Next is a reverse brute force attack, done by taking a common password like “1234” and trying to match it up with a list of usernames to gain access that way.
There is also credential stuffing. This is typically where stolen account credentials, usually consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
How to protect against a brute force attack
Difficult, lengthy passwords
Easy ways to increase the security of your passwords is to increase the amount of characters in your password and make it a little more complex by adding numbers or allowed symbols
Limit login attempts
Making sure your accounts only allow limited login attempts can reduce the risk of password guessing. Once the amount of failed login attempts has reached the max it will not allow anymore.
- 5 best practices for companies serious about data privacy
- The anatomy of a phishing email: 5 things to look for before you click
- 2020 state of passwords and authentication security report