Most of the cyberattacks we see on the news are high-level, well-coordinated events that take a bit of planning and are executed with very specific intent.
But not all hacks are that sophisticated. And, much like real life, the uncoordinated random attempts can be just as devastating, if not worse, than well-planned schemes. While a bank heist might make headlines, how many average Joes suffer the significant loss of their wallets at the hands of bumbling muggers who randomly set them in their sights?
In the cyberworld, we call those clumsy robbery attempts “brute-force attacks.”
Overview: What is a brute-force attack?
The goal of brute force hacking is to access a network or personal information. Most often, this is accomplished through a brute force password attack, also known as an exhaustive search. The cybercriminal systematically guesses random passwords, passphrases, usernames, or PINs until they find the correct one.
Most often, they will use a script or application to make a large number of continuous attempts.
- Dictionary attack: In this very common type of attack, a bot uses a list of commonly used words from a dictionary in order to guess passwords. The most common password? “Password.”
- Reverse brute force: Instead of trying many passwords to guess the right one for a single username or account, this type of attack will try one commonly used password against a number of usernames.
- Credential stuffing: Many people will use the same username and password for multiple websites and accounts. If a hacker gains access to one account, they’ll use that individual’s same username and password on a number of different accounts to see if they can get multiple matches. This is why it’s so important to have unique passwords for each account.
“Hackers buy thousands of user IDs and passwords from the dark market,” adds Ginni Green, software engineer, security expert, and founder of , which makes website design affordable for nonprofits. “Dark market (darknet) is a marketplace where cybercriminals sell data to other hackers (or even marketers!) after breaching any website's vulnerable databases using different types of malware or applying various intrusion techniques.”
3 reasons hackers use brute force
Why are brute-force attacks often successful? Hackers like brute-forcing because the majority of people are sloppy in choosing, guarding, and updating their passwords. A Google survey found that 65% of people reuse passwords across multiple sites, if not all sites.
Why does this make brute-force attacks so appealing?
1. Low-hanging fruit
This year, companies quickly made the switch to off-site workers — and many small businesses failed to take the necessary endpoint security precautions to secure phones, laptops, and tablets.
Even if you’ve put security measures in place to protect your network and databases, when your employees log into those systems using unsecured routers and laptops, you’re still at risk.
There are many sophisticated ways for cybercriminals to access your assets, but why go to all that effort when your employees are so careless with their credentials? If you were a burglar, would you climb up to the roof and scoot down the chimney first thing? Or would you jiggle the lock on the front door first?
“Picture a person of malfeasance coming upon a door, window, or other means of ingress,” says Ron Pelletier, founder and chief customer officer at managed detection and response firm . “If they are determined to get inside, they will often try those means first as it lends expediency, and if the ingress points are locked, they may use some level of force to make way.
“Bad actors in cyberspace will do the same thing, albeit with a bit more sophistication and a lot of different methods at their disposal.”
Brute-force attacks require little effort or skill, which makes them appealing to neophyte hackers. Additionally, they can be automated with bots and software that run through a list of words, usernames, passwords, and accounts until they strike gold.
“Just like a lobster fisherman laying many pots instead of hunting the crustaceans individually, an attacker may set a brute force program in motion to gain time with potentially more positive outcomes,” says Pelletier. “This is particularly true if they’ve enabled a series of bots across the web to execute multiple brute-force attacks.”
7 ways to protect your passwords from brute force
The situation isn’t hopeless.
“Success is relative,” says Pelletier. “While it can be postured that any system can ultimately be exploited given enough skill, time, and resources of the attacker, a brute-force attack is only as good as the program being used and the skill of the person using it.
“Variables of password length and complexity can add challenges for inferior programs and lesser skilled actors, an apt defense mechanism can detect a brute-force attack and, if it’s programmed to do so, can lock out the ‘user’ or block the access path entirely.”
That being said, vulnerable systems that are poorly protected may offer hackers persistent access, allowing successful attacks to go on for days, weeks, or months without detection.
How can you protect your data and systems?
1. Change default credentials
Be sure that every device in your office has its own unique username and password — and not the one the manufacturer assigned at the factory. This goes double for any devices, especially personal printers and routers, that your remote workers are using at home.
Few people think to change the factory-set passwords on those at-home devices, and this could mean tremendous risk for the workplace, as hackers can easily break these codes with little effort.
2. Make good password choices
This is the No. 1 rule for preventing cyberattacks, and yet so many people ignore all the warnings. Passwords should be long, using uppercase and lowercase letters, numbers, and symbols. Don’t use your name, your nickname, your pet’s name, your college mascot, or any other cute fact discernible from your social media posts. Change your passwords often. Then nag your employees to do the same — early and often.
Andrews recommends helping employees prevent brute force logins by providing password managers like LastPass or 1Password. “Strong passwords are often hard to remember. By setting employees up with a company password manager, they can easily access all their passwords from one secure location. Most password managers also include password generators, which make it easy to create strong passwords any time employees must choose a new password.”
3. Limit employee access
Many organizations, no matter what their size, are moving toward a zero trust cybersecurity strategy. This requires people within your network to continuously prove they are trustworthy, even though they are inside your perimeter.
One step in this strategy is giving employees access only to the systems and data they need to do their jobs, and nothing more. Then, if one employee is hacked, you can contain the damage, knowing the hacker only accessed the assets for which the employee had permissions.
4. Limit login attempts
You know this trick and you hate it when it happens to you. However, it’s an effective way to identify hacking attempts. After a certain number of unsuccessful login attempts, a user is locked out of the system for a certain period of time, unless they contact the system administrator to be reverified.
Green notes that for WordPress websites, this can be achieved through some free plugins such as Limit Login Attempts, Loginizer, or WPS Limit Login. For other types of websites, you need to write some simple codes to facilitate this feature.
5. Use two-factor authentication
Most organizations use two-factor authentication these days due to its effectiveness. When you log into a website, it texts you a code to enter before allowing you access. It works so well because it’s rare that a hacker will have both your account password and access to your cellular phone.
“I do believe [two-factor authentication] is one of the most effective controls,” says Pelletier. “If successful login requires not only something I know (like a password), but also something I am (like a biometric) or something I have (like a randomized token), the success for standard brute-force attack goes down exponentially to the point of discouragement or defeat.”
6. Enable CAPTCHAS
A CAPTCHA is a challenge you’ll face when you try to log on to a site or make an online purchase. We’ve all seen them — they ask you to retype the crazy-looking word or number sequence or direct you to click on all the squares that have traffic lights.
Successfully completing this final step proves to the login that you are human and not a bot. They successfully trip up automated brute-force hacking attempts, confusing the bots and denying them access to your account.
7. Monitor systems for vulnerabilities
Brute-force attacks are a low-level hack, but you should still monitor your network and systems to identify attempts, even if they are unsuccessful. Repeated attempts could indicate weaknesses in your cybersecurity defenses that should be addressed.
Understanding the threats and their possible entry points will take threat hunting to the next level. It also may indicate where you need to shore up defenses; for example, if you repeatedly see attempts on your remote workers’ laptops, you can beef up your endpoint security software solutions and plan an employee training session to increase awareness.
The brute-force attackers are coming for you
Brute-force attacks may be considered simplistic in nature, but make no mistake: They pose an immediate threat. If a hacker accesses your systems, network, or databases, they can deposit malware or ransomware or exfiltrate sensitive customer and financial data. You can prepare for these attacks, however, by maintaining good cyber-hygiene, training employees, and monitoring your system for attempted attacks.
“Bear in mind that the barbarians are always at the gates,” says Pelletier. “So long as an access path is presented to the internet, you can be sure that someone will be out there testing its security.”