- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
In this article, we’ll take a comprehensive look at brute force attacks: what they are, how they work, and the different shapes they can take. You'll learn about popular tools utilized by hackers and examples of brute force attacks in action. By the end of this article, you'll be able to understand critical prevention measures for brute force attacks.
What is a Brute Force Attack?
A brute force attack is a cyber attack where a hacker guesses information, such as usernames and passwords, to access a private system. The hacker uses trial and error until correctly guessing the credentials needed to gain unauthorized access to user accounts or organizational networks.
The "brute-force" terminology is derived from the tactic of using constant attempts or excessive "force" until the threat actor arrives at the desired result—entry into a system with the right credentials. Hackers often use personal information such as their targets' names, addresses, or interests as a starting point to guess a password.
Simple vs. automated brute force attack
Brute force attacks are a relatively old yet preferred method for system access, mainly targeting cloud service providers. In fact, 51% of hackers favor using brute force due to cloud architecture's vulnerabilities such as misconfigured software or easy-to-obtain admin usernames. The traditional form of this tactic, a simple brute force attack, involves someone manually attempting to guess credentials based on common passwords or information they already have.
Hackers have now turned to automation to simplify and streamline the traditional one-guess-at-a-time approach. Automated brute force attacks use intelligent software tools to generate and attempt a series of passwords, often millions, within seconds until they find the correct login information. Streamlined password-cracking means quicker access into applications and networks, adding to the 81% of data breaches caused by poor password hygiene.
Reasons Behind Brute Force Attacks
Hackers know most users implement weak passwords: those that are short and easy to remember, without a combination of upper case, lower case, numeric, and special characters to add a layer of complexity.
83% of Americans create weak passwords in terms of length (less than 10 characters) and character complexity (only numbers and letters) and 53% use the same passwords across accounts.
Additionally, many account credentials include personal information that could easily be found online, such as a user’s name, birth date, or interests. For instance, if a hacker knows that someone was born in 1990 and is a Chicago Bears football fan based on their Facebook page, they could incorporate that information into their brute force algorithms.
"123456" is one of the most commonly used passwords in the world making it an easy choice for a hacker attempting a brute force attack.
Once system access is gained, the hacker can steal proprietary information for a competitor, download data to sell on the dark web, lock out administrators until they receive a ransom payment, or spread malware throughout the system for economic, political, or even social reasons.
71% of all data breaches are financially motivated.
How Do Brute Force Attacks Work?
A brute force attack is both a specific attack method and a broad category of similar attacks. Variation occurs in where hackers start and how they make their attempts. As mentioned earlier, hackers can use manual processes or automated software to infiltrate a private network. Additionally, hackers may already have access to certain information before they begin their attempts.
For example, in a method known as "reverse brute force attacks," the hacker already has a list of passwords for brute force downloaded from the dark web and is attempting to match them with a username for access. Alternatively, in another type called "credential stuffing," the hacker already has the correct credentials for one website, user account, or other system and attempts to use them on others.
Different Types of Brute Force Attacks
Within the broader category of a brute force attack is a set of similar methodologies for deploying brute force with slight variations. The main types of brute force attacks include:
- Traditional Brute Force Attacks: A simple method of brute force where a hacker has a username or list of usernames and attempts, manually or by running a brute force program script, to guess passwords until a correct combination of credentials is found.
- Dictionary Attacks: An advanced method where a hacker uses a premade list of phrases based on research of the target or slight variations of common (or potential) passwords to run against a specific username. The list they choose to use is considered a "dictionary" of amended or slightly altered words or character combinations.
- Hybrid Attacks: A method of combining simple (traditional) brute force attacks with dictionary attacks. The hacker takes the most common phrases and words from the "dictionary" and attempts numerous variations of potential passwords until a combination is found.
- Reverse Brute Force Attacks: A method where a hacker starts with a known password, either acquired from a breach or commonly used, then searches and attempts many usernames until a combination is found. Different from a traditional brute force or dictionary attack because they are working backwards and starting with the known passwords instead of known usernames.
- Credential Stuffing: A method where a hacker already has known username and password combinations for one system and uses those same credentials to access other accounts, profiles, or systems associated with the same user. This attack works because users frequently recycle passwords across their accounts.
Popular Brute Force Attack Tools
The most common brute force attack tools are the ones that help automate the process of guessing credentials and finding combinations. They perform various functions such as identifying weak passwords, decrypting password data, running character combinations, and deploying dictionary attacks while running against many different protocols and operating systems.
Some of the most popular tools include:
- John the Ripper: Open-source software that lets users run dictionary attacks and detect weak passwords through various cracking and decryption techniques.
- Aircrack-ng: An open-source tool that focuses on penetration testing for wireless network security through dictionary attacks against network protocols.
- Hashcat: A penetration testing platform that lets hackers use known "hashes," a password that's run through a formula and converted to a string of random characters that is always the same length regardless of how much data the password contains. With the hashes known, they can use Hashcat to run dictionary or rainbow table attacks to reverse the password back to readable text.
Brute force hardware
Any type of brute force attack and relevant tool needs a lot of computing capabilities, demanding more powerful hardware solutions. In many cases, a single central processing unit (CPU) isn't enough to quickly crack a password or even run these functions at all. As a result, the cybercrime industry has now incorporated graphics processing units (GPUs) into its arsenal to accelerate data processing tasks.
While commonly used for gaming, the Nvidia RTX 3090 GPU manufacturers confirmed that its hardware can be used for password cracking and is one of the most popular brute force GPUs available, allowing 200 times as many password guesses per second.
Examples of Brute Force Attacks
Dunkin’ Donuts pays over half a million in penalties
In a famous 2015 incident involving the use of brute force, Dunkin’ Donuts digital customer accounts were targeted by hackers who used a leaked list of previously stolen credential information and ran brute force algorithms. They gained access to 19,715 user accounts for the customer loyalty application and stole tens of thousands of dollars of rewards cash.
The result of the brute force attack and breach on customer accounts at Dunkin’ Donuts resulted in $650,000 in fines and damages and forced the company to reset all user passwords and upgrade security protocols for the application.
20.6 million accounts compromised at Alibaba
In 2016, a team of hackers used a previously breached database with over 99 million credentials for multiple web applications. Taking advantage of weak passwords and users implementing the same password across other accounts, they used brute force and credential stuffing to successfully access nearly 20% of all the targeted accounts.
While no dollar amount of damages has been indicated, it was confirmed that nearly 20.6 million Alibaba accounts were successfully compromised and accessed maliciously, and all users were asked to change their passwords.
Difference Between Online and Offline Brute Force Attacks
In online brute force attacks, the hacker directly targets the network or application. However, these attacks are restricted by the system’s countermeasures. For instance, most systems will lock a user out after a certain number of incorrect login attempts.
To get around this potential roadblock, attackers can use offline brute force attacks. These attacks enable password key cracking attempts without logging into the user’s server. Since password data uses hashes or encryption for security purposes, the hacker works backward during offline attacks by taking the known hashes and running a computer program to match them up with the known passwords until a correct combination has been found.
Brute Force Attacks vs. Other Cyber Attacks
Brute force attacks vs. dictionary attacks
A dictionary attack can be categorized as a type of brute force attack or its own tactic. When defined independently, a dictionary attack uses a premade list of passwords with various similar phrases or character combinations the specific user might include. On the other hand, in most standard brute force attacks the hacker only uses passwords commonly used by the general public.
Brute force attacks vs. password spraying
Password spraying is a type of brute force attack in which the hacker applies a single password across multiple systems rather than attempting many passwords for one account, application, or network.
Brute force attacks vs. DoS
In a Denial-of-Service (DoS) attack, a single attacker attempts to shut down a server and make it unusable, overloading the system with too much traffic or unnecessary service requests. Brute force is a method for gaining unauthorized access to a system. A cybercriminal might use brute force algorithms to gain entry to a server then perform a DoS attack to shut it down from the inside.
Brute force attacks vs. DDoS
Distributed Denial-of-Service (DDoS) attacks are DoS attacks that use multiple computers or systems (instead of just one) to go after a single server or network resource. This multi-source mechanism makes DDoS fast to deploy and hard to detect. This differs from brute force attacks which only focus on gaining access to a system through matching credentials, deciphering passwords, and attempting logins.
Brute force attacks vs. credential stuffing
Credential stuffing is the process of taking known credentials from one system and applying them to others. While it can be considered a type of brute force attack, it's often a consequence of a successful brute force attempt where the hacker acquires credentials and causes further damage across other applications.
Best Ways to Prevent Brute Force Attacks
Brute force attacks are rooted in credential compromise, so requiring employees to construct complex passwords is a good start. You can also create a "moving target" by prompting or demanding password changes every few months.
On the account security side, for both external and internal applications, system administrators should incorporate lockout policies that keep potentially malicious actors out of a system after too many incorrect login attempts. You can also use Zero Trust best practices, such as multi-factor authentication (MFA), to require additional authentication.
Using MFA is one of the strongest solutions for preventing account hacks, with the ability to block roughly 99.9% of automated attacks.
For stronger protection against brute force attacks, consider eliminating passwords altogether. Passwordless authentication uses biometrics such as facial recognition and hardware like a fob or token for application and network access. Brute force only works when the verification system is "something you know," such as a password or personal identification number (PIN).
How StrongDM Simplifies Protection from Brute Force Attacks
StrongDM’s Dynamic Access Management (DAM) platform integrates with your identity provider to offer centralized authentication, authorization, networking, and observability. Administrators can enforce minimum password requirements for all users, and credentials are securely stored and hashed with StrongDM so they can never be seen in plain text.
StrongDM can integrate with Duo Security to enforce multi-factor authentication on all SDM Client sessions. Additionally, a user’s account is automatically locked after five failed authentication attempts. These countermeasures greatly limit the efficacy of a brute force attack.
Brute Force Attacks: Frequently Asked Questions
Is a brute force attack illegal?
The legality of a brute force attack is dictated by intent. In other words, if you're attempting to maliciously access a user account or organization's network to cause harm through financial or other motivations, then it is illegal.
However, if you are running a penetration test on an organization as a service, have prior permission and a service agreement with the client target, and choose to use brute force to assess security risks, then it is not illegal.
How common are brute force attacks?
Because of the variance in brute force attack definition, it's tough to decipher just how frequent they really are. One recent study, however, found that in 2021, 6% of all successful network intrusions were a result of brute force—up from 4% the year before.
How successful are brute force attacks?
Theoretically, brute force attacks have a 100% success rate, though the hacker may have to wait years for their automated systems to correctly guess a complex password. Realistically, brute force attacks are popular and effective for determining weak passwords, particularly for web applications—accounting for 80% of all attacks.
What are the weaknesses of brute force?
For the most part, brute force attacks only work if the user has a weak password. Therefore, a brute force attack is not effective against a strong password with at least 12 characters using uppercase, lowercase, numeric, and special characters that do not include personal information. Organizations can also invest in passwordless authentication solutions to eliminate the risk of a brute force attack.
How long does it take to crack an 8-character password?
The time it takes to crack an 8-character password varies by password design. With some of the advanced brute force password cracking tools available, hackers can instantly uncover a password that only uses a single type of character. When users utilize both upper and lowercase characters, it takes hackers two minutes to crack the password, followed by seven minutes with the addition of numbers. Finally, it takes 39 minutes when you include special characters.
Protect Your Business with StrongDM
Brute force attacks are a way of gaining unauthorized access to a system by taking advantage of common credential vulnerabilities such as poorly designed, recycled, and stagnated passwords. Through persistent trial-and-error for password entries, hackers will use various brute force methods, offline and online approaches, and sophisticated tools to obtain correct credential information quickly.
Want to learn how StrongDM can help protect your systems from brute force attacks? Sign up for our 14-day free trial.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.