Brute force attacks are a significant cybersecurity threat where hackers use various methods to crack passwords and gain unauthorized access to systems. This article explores different types of brute force attacks and provides strategies to protect your organization, including the use of advanced password management tools like Passpack.
According to Hive Systems, a leading cybersecurity consulting and risk management firm, an 8-character password consisting of just numbers can be cracked in 37 seconds using modern brute force hacking techniques, and anything shorter can be cracked almost instantly.
That means businesses need to take extra steps to secure user credentials. And we’re not just talking about adding more characters to a password string (although never a bad idea). This article presents some tips to detect and prevent different types of brute force attacks, and why a password manager like Passpack should be your first line of defense.
What are brute force attacks?
A brute force attack is one of the original hacking methods used by cybercriminals to steal user passwords to enter an organization’s IT infrastructure. The term originates from the use of continuous, repeated attempts to guess a username and password through trial and error until the hacker finds a match. Brute force attacks are quite effective against weak passwords.
To correctly guess a username and password manually is a tedious and time-consuming process that could take years, even if the credentials are weak (see Hive Systems chart). But hackers are patient, inventive, and the potential for a large payoff is enticing, so brute force attacks remain a popular means of attack.
To speed their efforts cybercriminals have developed password-cracking applications and tools that can try millions of username and password combinations per minute. Coupled with advancements in AI plus access to powerful CPUs and GPUs to run programs like John the Ripper, Ncrack, RainbowCrack, Hashcat, Hydra, Aircrack-ng, and others, hackers are cracking passwords in seconds that just a year or two ago took days or weeks – and there’s not a lot of skill required to use them. With sufficient processing power behind them, hackers can set their sights on multiple targets and let password-cracking apps do the work, even if it takes months. Patience.
Types of brute force attacks
There are several different flavors of brute force attacks, but they’re all after the same thing: user and network credentials.
- Simple brute force attacks: Attempts to guess a user’s login credentials are entered manually without the aid of software. Generally limited to weak and short passwords, but with a little digging into a target’s social media profile, hackers can find clues about what passwords they may use, like a pet name or birthdate.
- Dictionary attacks: This method uses a software app like Jack the Ripper or Hashcat to automate the population of password fields based on popular wordlists. Single word passwords are quite susceptible to dictionary attacks.
- Hybrid brute force attacks: Combines Simple and Dictionary attack tools to conduct more intense search combinations using variations of the same root password and versions amended with special characters, numbers and symbols to crack more complex passwords.
- Reverse brute force attacks: Hackers start with a compromised password, usually obtained through a previous data breach, and then attempt to pair it with employee usernames in the company until a match is found.
- Password Spraying: Uses a list of common passwords to try to access multiple accounts in one domain or organization, potentially exposing hundreds of accounts in a single attack.
- Credential Stuffing: Hackers use the compromised username and password of a targeted user on multiple websites in the belief that they may use the same credentials across several domains and services.
Same ol’ threats, different vehicle
Cyberattacks have become more sophisticated. AI and deep fake technologies are making it harder to separate fact from fiction. In response, many organizations have fortified their defenses against the latest phishing, social engineering, supply chain, malware, and denial of service attacks.
But sometimes, just pounding on the door until it opens is the fastest way in, especially if users continue to use weak passwords in spite of the company’s other efforts. Once penetrated, hackers will attempt one or more of the following:
- Inject malware into IT systems to hijack a network or encrypt and hold data for ransom
- Steal customer and company data for sale on the dark web
- Insert spam ads on company websites to make money on fraudulent clicks, or redirect web traffic to illegitimate sites
Signs your organization has been targeted by a brute force attack
Monitoring attempted network login activity is the best way to detect a brute force attack. Look for these signs:
- An unusual amount of failed login attempts to a single user account. Continuous inputting of bad usernames is generally a sign of a brute force attack. Make sure IT is paying close attention to company login activity and is notified when a flurry of incorrect attempts are made.
- Unsuccessful login attempts across multiple accounts from the same IP address. This is a sign of a reverse brute force attack or password spraying.
- Login attempts from suspicious IP addresses. Some IP addresses are known to be malicious. These should be blocked.
- Abnormal user activity after login. If a user’s behavior is suddenly different, for example trying to access systems they never used before, this could be a sign user credentials have been compromised and an imposter is poking IT resources for backdoors.
Strategies to prevent brute force attacks
First and foremost, install a password management solution like Passpack to enforce the consistent use of strong passwords and best practices across all users. A password manager app acts like a secure vault for all a user’s credentials, PINs, and account numbers. Users only need to remember a single master password. Further, most password manager apps have a password generator tool that allows administrators to enforce rules for password length and strength, and policies for reuse, sharing, and expiration.
At minimum, Passpack recommends the use of 10-character “complex” passwords (combining upper and lowercase letters, numbers, and symbols). It would take today’s most powerful computer 33,000 years to crack, outlasting the most determined hacker. Other measures to implement include:
- Monitor and limit login attempts. See above for signs. IT should place a low, preferably single-digit limit on the maximum number of failed login attempts before the account is frozen, preventing password-cracking apps from trying thousands of combinations.
- Delete inactive accounts. Reduce your attack surface by removing accounts of users no longer with the company or who no longer need access.
- Use encryption. Encrypting passwords with 128-bit or 256-bit encryption makes them harder to crack.
- Enable Multi-factor Authentication (MFA). Make users provide a second authentication factor using Google, Microsoft Authenticator or YubiKey, for example.
- Subscribe to an IP blacklist. Protect your network by blocking the IP addresses of known attackers.
- Penetration testing. Scan your network with commercially available tools to find network vulnerabilities that can be exploited by hackers.
- Change all passwords after a breach. Don’t risk that systems that were not impacted this time won’t be targeted in the future. A password manager app can automate the changing of all passwords.
- Educate end users as to good password hygiene. All of these efforts will be for naught if your employees use easy to guess passwords. Best practices for password creation include:
- Create minimum 10-character passwords using letters, numbers, and symbols
- Do not use common terms, single words, or phrases found in a dictionary
- Do not include personal information such as a name, birthdate, or street address number in passwords
- Do not tie passwords to favorite teams, celebrities, or activities highlighted on social media accounts
- Use a completely different password for every account, not just variations of the same root password
Neutralize the threat of brute force attacks with Passpack
Weak, unprotected passwords make your organization vulnerable to brute force attacks even if all the above steps are implemented. Don’t make it easy for criminals to penetrate your network. Get Passpack.
Passpack is a centralized vault enabling the secure storage and sharing of passwords and credentials for every user in the organization. Passpack is built on a zero-trust architecture. No one, not even Passpack employees, have access to the data stored in user accounts. Each Passpack account is protected by MFA and user-side encryption through a Packing Key that only the owner knows. Passpack uses the highest-level 256-bit AES data encryption and includes a built-in password generator.
Infinitely scalable, Passpack supports an unlimited number of users, teams, and passwords. Administrators have 100% visibility into every password-related activity and can monitor and enforce consistent rules and policies for password strength, reuse, and sharing.
Best of all Passpack is extremely cost competitive. A monthly subscription plan offers the capabilities of comparable password manager applications combined with personalized customer support and fast response to feedback you won’t find anywhere else.
Would you like to learn if Passpack is right for you? Sign up for a 28-day free trial of the Passpack Business Plan and see how easy it is to help protect your business from brute force attacks while providing essential access control and facilitating collaboration. Send us an email at [email protected] to schedule a live demonstration.