If you've read security articles or heard about major breaches, you've probably heard the term "brute-force attack." But you might not know exactly what this means.
Let's walk through what a brute-force attack is, how they typically work, and how you can stay protected from them.
The Basics of Brute-Force Attacks
On a fundamental level, a brute-force attack is really simple. Brute-forcing a password refers to guessing every possible combination until you eventually figure it out. And while you can do this manually, it obviously becomes tedious before long.
Thus, in most basic brute-force attacks, a computer program tries to guess a password or an encryption key by iterating through all possible combinations for a certain number of characters.
For example, let's say you wrote a utility that tried to brute-force a four-number iPhone password. It would start by guessing 0000, then 0001, then 0002, 0003, and so on until it got all the way to 9999.
Depositphotos<\/a>"">The same principle works with more complicated passwords. A brute-force algorithm trying to crack a password that has six alphanumeric characters might start with aaaaaa, aaaaab, aaaaac, and so on. It would then proceed to including numbers (and possibly capitals), like aabaa1, aabaa2, aabaa3, and more. This would go through every possible six-character combination of numbers and letters, down to zzzzzz, zzzzz1, and beyond.
There's also a related technique known as the reverse brute-force attack, in which you try one common password against many different usernames. This is less common and more difficult to successfully use, but it gets around some common countermeasures (which we'll discuss in a bit).
Related: What Is Password Spraying and How Can It Be Used Against You?
Clearly, this is not an elegant way to guess a password. In theory, if you had enough computing power and time, you could guess any password using brute force. But if you're trying to break anything other than a short and simple password, brute-force attacks are inefficient. It would take years of time and tons of computing power to brute-force a strong password.
As you'd expect, password-cracking schemes have become more sophisticated than this.
Advanced Brute-Force Attacks
Because brute-force attacks are limited when used against anything but simple passwords, hackers have ways to improve them.
A dictionary attack, for example, doesn't just iterate through all the possible combinations of characters. Instead, it uses words, numbers, or strings of characters from a pre-compiled list—usually taken from something like a list of commonly leaked passwords. Because these passwords are so common, they're likely to provide entry into other accounts.
Read more: Common Password Mistakes That'll Likely Get You Hacked
For example, a dictionary attack might try a number of common passwords, like "password," "123456," "letmein," and so on, before going into a standard brute-force attack. Or it might add the current year to the end of all the passwords that it tries before going onto the next password.
Dictionary attacks greatly cut down on rare combinations of passwords. This makes sense—for a basic eight-character password, someone is more likely to use "dogs1234" than "zp1vg8el". By focusing on the more likely combinations first, you can cut down the time spent while brute-forcing.
Various methods of using brute-force attacks exist, but they all rely on trying a huge number of passwords as quickly as possible until the right one is found. Some require more computing power, but save on time. Others are faster, but require a larger amount of resources during the attack.
Where Brute-Force Attacks Are Dangerous
In theory, brute-force attacks can be used on any account or other platform that has a password or an encryption key. But many places where they could work usually have effective countermeasures against them, as examined below.
You're in the most danger from a brute-force attack if you lose your data and a malicious actor gets hold of it. Once something is on another person's computer, some of the safeguards in place on your machine or online can be circumvented.
How might a miscreant get your data onto their computer? You could lose a flash drive when it drops out of your pocket. Maybe you leave your phone in an Uber ride. A hacked cloud service could expose some of your files to other people, or malware could copy your data to someone else's computer without your knowledge.
The point is that while brute-force attacks aren't effective in some places, there are still ways hackers can deploy them against your data. To avoid situations where a brute-force attack could crack protections on your data, you should keep close track of where your devices and files are.
Protecting Against Brute-Force Attacks
There are a number of defenses that websites and other tools use against brute-force attacks, as well as ways to protect yourself against them.
How Services Protect Against Brute-Force Attacks
One of the simplest and most commonly used protections is the lockout. With this, if you enter an incorrect password a certain number of times, the account refuses to accept any more login attempts. To try again, you need to get in touch with customer service or wait a certain amount of time.
This stops a brute-force attack in its tracks—instead of trying thousands of combinations in minutes, having to wait for 10 minutes or an hour to continue trying will deter a would-be hacker.
Websites can also deter brute-force attacks with a CAPTCHA challenge or similar. Having to fill out a CAPTCHA every time you want to try a password greatly slows down the process, defeating the point.
Neither of these methods will work against a reverse brute-force attack, though. Those attacks only fail a password test once for each account, which likely won't be enough to trigger the protection.
It's worth noting that while these tactics are great for avoiding brute-force attacks, they also provide other ways to attack a site. For example, if a brute-force attack is launched against a site that locks accounts after five incorrect attempts, its customer service team could get flooded with calls from legitimate users, thus slowing down its operations.
Overwhelming a site with brute-force attempts could also be employed as part of a distributed denial of service attack.
How to Protect Yourself Against Brute-Force Attacks
Two-factor authentication is a powerful way to protect yourself against brute-force attacks, both standard and reverse. With two-factor authentication (2FA), even if a hacker does guess the right password, having to enter another code will stop an attacker from getting access to your account.
By far, though, the easiest way to protect yourself against a brute-force attack is to use a long password. As the length of a password increases, the computational power required to guess all the possible character combinations grows exponentially.
Consider the iPhone passcode example from earlier. Older versions of iOS used a four-digit PIN, which has 10,000 possible combinations. Modern iOS versions, however, use a six-digit passcode by default. This increases the number of possible combinations to one million.
In either case, it's unlikely that someone would be able to actually brute-force your iPhone password, partially thanks to the lockout that happens after a few wrong guesses. But you can see that by adding just two more digits, the protection factor increases 100 times.
In addition to length, complex passwords are also much harder to brute-force. If someone wanted to break a password and knew that it only had lowercase letters, they could skip many possible combinations. But that same password length with numbers, uppercase letters, and symbols thrown in would increase the time to brute-force the password by several orders of magnitude.
Use secure passwords—ideally with a password manager so you don't have to remember them all—and you'll be all but immune to brute-force attacks. A 12-character password that uses uppercase and lowercase letters, numbers, and a pool of 18 symbols would have more than 68 sextillion possibilities. This would take centuries to brute-force.
Brute-Force Attacks Can Be Effective in Some Cases
These kinds of attacks are simple and inelegant—the name is "brute force" for a reason, after all. Now you know how brute-force attacks work and how to protect yourself against them, so you shouldn't have much to worry about.
Use strong passwords and don't let your data end up in a place where it's not protected by brute-force countermeasures. Don't forget that there are other ways to compromise passwords, though.
