A brute force attack tries millions of usernames and passwords per second against an account until it strikes gold. That's the gist of it. However, even though these attacks are simplistic, they're too often successful.
Today we'll cut through the jargon to explain what a brute force attack is, how it works, whether it's legal, and how it holds up to current security systems.
How does a brute force attack work?
Brute force attacks are simple in their technical aspect and often yield great results for the attackers. Essentially, bad actors use brute force attacks to access online accounts.
Hackers favor this type of attack since it requires little effort on their part by letting computers do the work. The work comprises quickly guessing the username and password of the account it is trying to gain unauthorized access to. During a brute force attack, a computer program works viciously, trying infinite combinations of usernames and passwords until it finds a fit.
How fast is a brute force attack?
The speed at which your password is cracked depends on:
The strength of your password.
The power of the criminal's computer.
Here is a quick guide to both
Speed depending on password strength:
Computer programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second.
There are 94 numbers, letters, and symbols on a standard keyboard. In total, they can generate around two hundred billion 8-character passwords.
The longer and more random a password, the tougher it is to crack. A 9-character password that includes a unique character takes around 2 hours to break; one without a unique character lasts just 2 minutes!
In comparison, a 12-mixed-character password would take centuries to crack.
A simple password made up of only lowercase letters produces a lot fewer combinations than a password using a mix of random characters – around 300 million, to be exact. Therefore, computers don’t need much effort to guess a simple password – 8.5 hours on a Pentium 100 and instantly on a supercomputer.
(A Pentium 100 can try 10,000 passwords a second. A supercomputer can try 1,000,000,000 per second). So it's best to re-think your password.
Types of brute force attacks
Brute force attacks come in a variety of types and forms. Here are some of the most common brute force attack types that hackers use to gain unauthorized access to online accounts.
Simple Brute Force Attack
The simple brute force attack, as the name suggests, is the most basic of all the types. During such an attack, the bad actor tries to guess the user’s password manually, without the employment of software tools. The attacker relies on trying out commonly used, weak passwords such as 123456, qwerty, password, and password123. Unfortunately, the simple brute force attack can be pretty effective, as we’ve repeatedly seen that many people continue to use weak and otherwise poor passwords to secure their online accounts.
While a dictionary attack does not strictly fit the criteria for qualifying as a brute force attack, the two are closely related. Simply put, a dictionary attack is a method of trying to crack the password by trying out a vast number of common words and their variations. To do that, hackers use software that can make thousands of guesses every second using dictionary databases, hence the name of the attack. Over the years, dictionary attacks have decreased in popularity as new attack types came into prominence.
Hybrid Brute Force Attack
As the name suggests, a hybrid brute force attack combines a dictionary attack with a brute force attack for a better chance of success. Often a hybrid attack is utilized once the attacker already knows the username of its prey.
The essence of a hybrid attack is that it is designed to try out a variety of uncommon password combinations such as MonkeyBig123. In most cases, the attacker starts with a list of words and then attempts to switch characters and add special symbols or numbers to get as many possible variations on the initial words as possible.
Reverse Brute Force Attack
Think of a reverse brute force attack as a somewhat polar opposite of a hybrid attack. A reverse brute force attack requires the attacker to know the password beforehand and then attempt to guess the username.
Attackers in possession of a password – which they most likely obtain from leaked databases – use it to track down the usernames associated with it and match the two.
Credential stuffing is the type of attack that bad actors carry out when they have a set of usernames and passwords already at their disposal. Hackers can get entire databases of stolen login credentials and then try to apply them to the account they’re trying to access. This kind of attack can be especially devastating if the attacked user reuses passwords across multiple accounts.
Rainbow Table Attack
A rainbow table attack is a method of password cracking that employs rainbow tables to break the password hashes in a database. Websites or apps don’t store passwords in plain text; instead, they encrypt passwords with hashes. Once the password is used for logging in, it is immediately converted to a hash. The next time the user logs in using their passwords, the server checks whether the password matches the previously created hash. If the two hashes match, the user is then authenticated. The tables used to store password hashes are known as rainbow tables.
In most instances, the hacker launching a rainbow table attack would need to have the rainbow table at their disposal. Often these can be bought on the dark web or stolen. During the attack, bad actors use the table to decrypt the password hashes and so gain access to a plaintext password.
What are the motives behind brute force attacks?
Brute force attacks are usually the first wave of the offensive. In most instances, brute force attacks serve as a way for attackers to gain an unauthorized entry point to a network. Once they achieve the desired access, hackers will deploy further brute force attacks to upgrade privileges within the network so they can do more damage or gain access to servers and databases.
Is a brute force attack illegal?
The only time a brute force attack is legal is if you were ethically testing the security of a system with the owner's written consent.
In most cases, a brute force attack is used to steal user credentials – giving unauthorized access to bank accounts, subscriptions, sensitive files, and so on. That makes it illegal.
How to prevent a brute force attack
Businesses and individuals can protect themselves from brute force attacks in a variety of ways. The crux of the brute force attack is time. Some attacks can take weeks or even months to be successful. Thus, most of the strategies used to defend against a brute force attack involve the increasing time required for a successful attack to be carried out.
Use complex, unique passwords
Complex passwords are long and incorporate a variety of special symbols, numbers, and lower- and uppercase letters. A strong, unique password used to protect an entry point can take hundreds of years to be cracked. Thus, using a password that comprises at least 12 characters is always recommended, with a healthy mix of numbers and special symbols.
Also, remember never to reuse passwords across multiple accounts. Doing so increases the chances of getting your accounts hacked. Think of reusing passwords in the same vein as using a single key to lock all the doors. If bad actors can get their hands on the password you use to protect multiple accounts; they’ve instantly gained access to all of your accounts.
One of the best ways to come up with strong and unique passwords is by using a password generator, which is designed to create complex and hard-to-crack passwords on demand.
Set up MFA whenever possible
Multi-factor authentication is an extra layer of security that requires additional steps to verify the user's identity. Today, most online services provide a way for users to set up MFA. In most cases, MFA works via authenticator apps or text messages. With the MFA enabled on your accounts, even if they manage to get your username and password, attackers will have no way to bypass an extra step of authentication without direct access to your devices.
Avoid using services that do not protect your data with an encryption
Encryption is the industry standard when it comes to data protection. Any respectable online service provider will ensure that your user data, including usernames and passwords, will be encrypted.
However, we often hear about how some online platforms take the easy way out, do not employ adequate security measures, and store passwords and other valuable data in plain text. Such security practices are a recipe for disaster.
So before you sign up for any new online service, make sure that the provider employs encryption and other cybersecurity measures to ensure the security of their customer’s data.
Simply put, encryption is a method of scrambling data so that only authorized parties can understand the information. Encryption algorithms take readable data such as passwords and usernames and alter it to appear random. The nice thing is that encrypted data, even if stolen, is useless to a bad actor unless they have a cryptographic key, but those are not so easy to obtain.
NordPass uses cutting-edge XChaCha20, making it one of the most secure password managers. XChaCha20 also supports the 256-bit key, which is the strongest encryption currently available. Favored by Google and Cloudflare, this level of encryption is so advanced it would take a supercomputer centuries to crack.
Deep security system
Encryption is only one part of a security strategy, so it's crucial to inspect how all the ingredients are mixed together. When a formidable algorithm like XChaCha20 sits inside a high-defense system like NordPass, an attacker has no chance.
In reality, this is exactly what separates NordPass from products that offer familiar, surface level features. It’s a deeply complex defense system built from the inside out.