Brute force attacks (also called a brute force cracking) are a type of cyberattack that involves trying different variations of symbols or words until you guess the correct password. As you might have guessed, brute force attacks aren’t the most efficient. However, with some clever tricks and variations, they can work concerningly well.
With specialized software and the right situation, hackers can automatically try millions or even billions of passwords per second. This makes brute force attacks an essential part of the hacker’s arsenal.
Types of Brute Force Attacks
All brute force attacks can be lumped into two categories: online and offline. On top of those, there are lots of different variations, such as dictionary attacks.
With an online attack, the hacker sets up software to try every possible password on a running system. Guessing the passwords to website login pages and remote desktop connections would be an online attack. Another example is trying every possible iPhone passcode.
In an online attack, the hacker has to wait for the server they’re hacking to say whether each password was right or wrong. This is slow. Most serious website operators add rate-limiting, which makes the attack even slower. Your iPhone has this feature too; if you type the wrong password too many times, it locks you out for a period of time.
Even with those protections, lots of people screw up server security, so online attacks still work. The Secure Shell (SSH) remote server access program is sometimes set up with password login and no rate-limiting. If you run SSH on the public internet, it’s a safe assumption that someone is attacking it at any moment.
Offline attacks are more difficult to pull off, but they’re also more effective. A hacker with a serious computer can test crazy numbers of passwords per second because the passwords are checked on their own computer.
Website owners generally hash the passwords in their database. A hash function is a one-way process, so the website’s software can check passwords but it can’t decrypt the hashes to get the passwords themselves. If a hacker steals the database, they get hashed passwords instead of the originals.
Website operators can strengthen the security of their password hashes through salting. Without salted hashes, hackers can use rainbow tables, which allow them to skip a lot of work by testing precomputed hashes.
Instead of testing each possible password, they can download a rainbow table with a large number of possible passwords and their hashes already computed. Then, all they would have to do is compare the hashes in the rainbow table against those on the stolen database.
They can also create their own rainbow tables – the process is essentially identical to brute forcing, except instead of trying the combinations directly as passwords, you would run them through a hash function and put them in a table.
Salting makes hashes unique, even if the password is the same as one in a rainbow table.
Instead of guessing random combinations of symbols, hackers can also cycle existing words in a dictionary. People often use words in their passwords to make them more memorable – this makes the job easier for hackers. Brute force software can even mutate the dictionary passwords to increase the odds of success.
Even a very long password can be guessed easily if it’s similar to one in the attacker’s dictionary. This classic xkcd comic on password strength explains the situation quite well.
How to identify brute force attacks
Brute force attacks leave obvious clues for server operators. Most server software automatically logs failed login attempts. If system administrators notice a sudden increase in failed login attempts, odds are that the service is under attack.
Popular web-based services like Gmail and Twitter email users when their accounts might be under attack. If you have two-factor authentication enabled and you get a “Confirm if it’s you logging into your account” notification. If you weren’t the one to sign in—you know that someone else has your password. They might have gotten it through a brute force attack, although phishing and other attacks are possible too.
How to Prevent Brute Force Attacks
Although brute force attacks are effective, it’s possible to make them much harder with some simple steps.
Prevention For Users
- Use long, unique passwords. Brute forcing becomes exponentially harder with longer passwords. You can thwart dictionary attacks by making your passwords more unique. If in doubt, use a password manager to automatically generate and save random passwords for each site. Also, check our guide on how to create a strong password.
- Secure remote desktop connections as much as possible. Remote desktop is a popular way for attackers to get access to your computer. Leave remote desktop off as much as possible. When it’s on, use an extremely strong password.
- Use two-factor authentication. A brute-force attack is far more difficult when a correct password isn’t enough to log into an account. With 2FA, users need their phone or a physical security key to log into their accounts. This makes your account far more secure.
Prevention For Server Operators
- Use rate limiting. If you run a server, make sure that hackers can’t try passwords very fast. They might get discouraged and give up if the delay is long enough.
- Don’t use account lockouts. If you own a website, it might make sense to lock accounts after a certain number of incorrect attempts. However, this lets an attacker perform a denial of service attack by locking out lots of accounts.
- Secure SSH appropriately. Enable fail2ban, disable password logins (in favor of SSH keys), and turn off root login from SSH.
- Hash and salt your passwords with modern algorithms. MD5 or another very basic hash algorithm is hardly better than nothing. Use a modern hash function and salt to prevent rainbow table attacks.
Short history and examples of brute force attacks
- Brute force attacks have been a theoretical possibility since the dawn of modern encryption. They’ve continually become more practical as time goes on.
- 1977: Scientific paper on brute force attacks on the DES encryption scheme is published (Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard by Whitfield Diffie).
- 1996: Cryptologist Michael J Weiner publishes the paper Efficient DES Key Search, which continues the process towards efficient offline attacks.
- 2004: Fail2ban was initially released, making servers easier to secure from brute force attacks.
- 2007: The first beta version of Aircrack-ng was released. Wi-Fi network hacking became a lot easier.
- 2013: GitHub users are the victims of an online brute force attack.
- 2015: Hashcat became free and open-source, opening GPU-accelerated offline brute force attacks to a wider audience.
- 2016: Alibaba-owned marketplace Taobao suffers an attack, as a result of which more than 20 million passwords are brute-forced.
- Circa 2017: GrayKey is made available, allowing law enforcement to more easily perform brute force attacks on encrypted iPhones.
Brute force attack tools
Different kinds of brute force attacks require different tools. Below are a few common brute force tools and their use cases.
- Hashcat: State-of-the-art offline password cracking. This tool offloads work to the graphics processing unit (GPU), which makes it very fast.
- Aircrack-ng: Wi-Fi password cracking. Aircrack-ng monitors encrypted Wi-Fi traffic and uses a variety of brute-force-based attacks to find the network password.
- RainbowCrack: Offline password cracking with rainbow tables. Instead of computing the hash for every possible password, RainbowCrack takes advantage of precomputed hashes.
- Ncrack: Online network authentication hacking. Hackers who want to attack the Microsoft remote desktop protocol, SSH, or an encrypted email connection can use Ncrack. It also supports attacks other than those involving brute force.
Frequently asked questions
What’s the best protection against a brute force attack?
Strong passwords. The time to crack a password increases exponentially as the password gets longer and more complex. Dictionary attacks are made way more difficult with complex, unique passwords. Using a password manager is a good idea as well.
Is brute forcing legal?
No. Mounting a brute force attack is illegal. In fact, it may be a felony under the Computer Fraud and Abuse Act in the United States. Other countries have similar laws.
Testing your own server with brute force tools is legal. Make sure to have written permission if you’re testing someone else’s server.
How fast is a brute force attack?
It depends on lots of factors, but hackers can test millions or billions of passwords per second under the right conditions. Offline brute force attacks are way faster than online attacks. Online attacks, especially when the service uses rate limiting, are very slow.
Although the efficiency of brute force attacks differs based on the technique and computing power, they can be extremely fast in many cases.
How long does it take to crack 256-bit encryption?
As long as it takes to guess your password. Standard encryption systems generate a key from your password and then encrypt your data with that key. Although strong encryption like 256-bit AES is extremely difficult to crack by guessing the key, it’s much quicker to guess the password.
Hackers can also employ dictionary attacks to make encryption-cracking faster. No matter what, make sure that your encryption password is especially strong.