A brute force attack uses trial-and-error to guess every possible password combination until it hits the right one. This may sound low-tech, but brute force attacks have an ominously high strike rate. An FBI report measured the losses due to cyberattacks at $4.2 billion in 2020, with brute force attacks accounting for a sizeable chunk. A recent cybersecurity report recorded over 55 billion brute force attacks in just over four months in 2021. That’s nearly 45 million attacks a day!
Driving this spate of attacks is the ability of modern machines to try out trillions of possibilities in mere hours, coupled with hackers’ capability to automate such attacks. Add to this the fact that most people continue to disregard strong password recommendations — more so in our current remote or hybrid works models — and one gets a clearer idea about why brute force attacks are trending upward.
Organizations succumb to simple brute force attacks for several reasons — the most obvious being they simply overlook its possibility. This lapse can easily result in a massive data breach with just one hacked password.
The term brute force stems from hackers’ forceful attempts to gain access. With the right bots to help, a brute force attack can crack an eight-character alphanumeric password with special characters in just two hours! Hackers usually try several passwords and username combinations until they strike the correct information. With millions of computer users still recycling passwords, even one hacked password can spell serious trouble.
There are many different types of brute force attacks. The most common include:
Simple brute force attacks rely on automation and scripts to guess passwords. These attacks are mostly likely to crack simple and commonly used passwords.
In a dictionary attack, hackers zero in on a potential target and then run every possible password combination to find a match. Usually, the hackers will make basic assumptions about common password practices to save time. They also alter the spellings of possible dictionary words to find the right combination. This type of attack takes a relatively long time and is therefore less favored.
Exhaustive key search is a more modern approach to brute force. Hackers employ powerful computers and automation to try out every possible combination with every imaginable character until they find the right one.
Credential recycling assumes users use the same passwords for multiple accounts. Hackers try passwords exposed in other breaches to find the right match. A 2019 Google study found that nearly 52% of the respondents use the same password for multiple accounts.
A reverse brute force attack also uses passwords leaked in previous data breaches. Pairing this data with lists of the most common passwords, attackers combine a username with a commonly used password until a match is found.
There were 2,354 ransomware attacks on local government agencies, health care institutions, and schools in the US in 2020 alone. Each of these incidents cost over $300,000, and most of were initiated with a brute force attack. Adopting the zero trust security approach to help prevent such attacks is not just a matter of security but also of financial responsibility.
A crucial element of the zero trust framework is multi-factor authentication (MFA). Given how easily hackable most username and password combinations are, MFA is an added security layer that authorizes access to a system only after authenticating the user’s credentials through two or more factors. These factors could be:
Something the user knows, like a password
Something the user possesses, like a one-time token
Something the user is, like a fingerprint
Beyond MFA, the Cyolo next generation zero trust access solution also includes an identity-centric vault, which creates a primary ID for all users and saves their passwords internally. The vault merges multiple accounts into one trusted user identity and stores all sensitive credentials locally, avoiding the vulnerabilities of a centralized cloud. With passwords no longer needed by the user, brute force attacks are rendered useless.
Despite their unsophisticated nature, brute force attacks have a high success rate and are the technique that enabled many recent high profile data breaches. Implementing MFA across all systems is key to preventing brute force attacks, and adopting additional zero trust access policies, such as least privilege access, will make your defense even stronger.
Learn more about zero trust here.
Author
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.