A brute force attack, also known as an exhaustive search, is a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered. The longer the password, the more combinations that will need to be tested. A brute force attack can be time consuming, difficult to perform if methods such as data obfuscation are used, and at times down right impossible. However, if the password is weak it could merely take seconds with hardly any effort. Weak passwords are like shooting fish in a barrel for attackers, which is why all organizations should enforce a strong password policy across all users and systems.

Brute force attacks are usually used to obtain personal information such as passwords, passphrases, usernames and Personal Identification Numbers (PINS), and use a script, hacking application, or similar process to carry out a string of continuous attempts to get the information required.

Goals of a brute force attack include:

• Theft of personal information such as passwords, passphrases and other information used to access online accounts and network resources
• Harvesting credentials to sell to third parties
• Posing as users to send phishing links or spread fake content
• Defacement of websites and other information in the public domain that could damage the reputation of the organization
• Redirecting domains to sites holding malicious content

They can also be used for positive gains. Many IT specialists use this method of attack to test network security and more specifically, the strength of the encryption used on the network.

An attacker is usually aided by automated software that uses computing to systematically check password combinations until the correct one is identified. Using a brute force password cracking application is required in order to go through numerous combinations and possibilities that can be difficult or impossible to calculate by a human alone. Popular examples of brute force attack tools include:

• Aircrack-ng
• John the Ripper
• L0phtCrack
• RainbowCrack

There are a number of different types of brute force attack, each of which has the same goals detailed above.

Hybrid Brute Force Attacks

You may have heard of dictionary attacks. These are one of the most common forms of brute force attack and use a list of words in a dictionary to crack passwords. Other types of attack may use a list of commonly used passwords. If your password is 'password', for example, a brute force bot would be able to crack your password within seconds.

Reverse Brute Force Attack

Reverse brute force attacks don't target a specific username, but instead, use a common group of passwords or an individual password against a list of possible usernames.

Credential Stuffing

When a username and password pairing is known by the attacker, they can use this information to gain access to multiple websites and network resources. For example, many users choose the same password to access many different websites for the sake of simplicity. Taking precautions like using two-factor authentication and using different passwords for every different network resources can help to prevent brute force attacks that rely on credential stuffing.

Brute force attacks typically rely on weak passwords and careless network administration. Fortunately, these are both areas that can be improved easily in order to prevent vulnerabilities that could bring your network or website resources to their knees. For example, utilizing strong passwords, allowing a limited number of login attempts and enabling two-factor authentication can help to prevent brute force attacks.

Ultimately, it is important to educate your organization on the importance of password strength and the general information security habits. Even with a strong password, employees can fall victim to insider threats if security is not a strong part of your culture. Learn more about Forcepoint’s Insider Threat Program offerings.