A guide to trial and error hacking attempts
When it comes to cybersecurity, there are a lot of scary terms that can make you fearful for the safety of your data. For example, the term brute force attack sounds intimidating. In reality, it should be called something like a very persistent attack.
Here’s a look at what a brute force attack is, how it works, and how to protect yourself and your data against this threat.
Brute force attacks are sometimes referred to as dictionary attacks, brute force cracking, custom hardware attacks, or exhaustive search.
Brute force attacks explained
A brute force attack is an effort to break into a computer system using repeated attempts to force entry. Usually this means guessing a password by trying different words or combinations of words systematically. This is why brute force attacks are also commonly referred to as dictionary attacks.
With a brute force attack, the cybercriminal bet that the target computer or system is secured with a common password or a simple pun. While the password is easy to guess, it won’t take long for the attacker’s computer to enter the correct password.
Brute force attacks attempt to crack passwords, passwords, usernames, or personal identification numbers (PINs).
How a brute force attack works
A brute force attack usually starts with a gigantic word list. These lists come from many sources, but the most popular are lists of common passwords recovered from other hacks. These lists can contain tens or even hundreds of thousands of words.
The attacker then uses a script or program to go through the list, trying each word or a combination of words as a password. They’ll do the same with usernames, as well.
When a password attempt is successful, the software reports its success to the hacker. From there, the hacker can log in normally using the newly discovered username and password.
Depending on how they want to proceed, an attacker can control the number of password cracking attempts and the timing of those attempts. While it is possible to bombard a server with rapid fire attempts, this is usually a clear sign of an attack, and it could crash the system. Instead, an attacker can space out connection attempts to make it appear more natural in the hope of going unnoticed.
Once the passwords and login credentials have been stolen, the hacker can gain access to the computer or system, sell the credentials to a third party, impersonate the user to send phishing links, disfiguring the website, or redirecting a site to a malicious site.
Protect yourself against brute force attacks
Brute force attacks are among the simplest hacks possible. Most of the time, these attacks are nothing more than an attacker automating the process of guessing your password by using a program to systematically enter these words. Accordingly, the best way to protect yourself is to choose a secure password.
The word lists used by attackers usually come from commonly used passwords and single words in the dictionary. Choosing combinations of words in a passphrase, and including one or more less common words, is a great idea. Add numbers and some special characters to create a strong password.
A pass phrase made up of three or more words, three numbers, and at least two special characters would be quite difficult for most brute force attacks to guess.
You can also use password managers to store randomly generated passwords. The more characters in a password, the longer it takes to guess a brute force attack. Also, random characters cannot be cracked with a dictionary.
Passwords with random characters can be broken with another type of brute force attack that tests different combinations of characters. However, these are less common because these attacks require more computing power.
Some programs may forgo passwords in favor of cryptographic keys. These keys are uniquely generated and shared between your computer and the system or server you are connecting to. You can log in automatically with the key, but anyone else is immediately refused.
Finally, you can set limits on connection attempts. There are many ways to do this, depending on the program or system you are trying to secure. Many have options to block connection attempts after a certain number of failures. Some may automatically block certain IP addresses after a certain number of failed connections.