What Is a Brute Force Attack? How They Work and How To Stop Them
A brute force attack is a trial-and-error method of finding correct login credentials. Hackers will ‘force’ multiple combinations of usernames and passwords until they find an authentic login credential.
This type of cyberattack is commonly used by hackers. Abnormal Security found as many as one in four companies were targeted by brute force attacks every week in 2021.
Due to its popularity among cybercriminals, organizations should take precautions to ensure their networks and accounts are protected from brute force attacks.
How Do Brute Force Attacks Work?
There are multiple variations of brute force attacks, but they all have one ultimate goal: successfully access login credentials. Hackers will use trial and error–often with the help of software–to systematically guess password combinations. Brute force attacks are especially effective when account owners use simple or common passwords.
A successful brute force attack can lead to data breaches, ransomware installation, account takeovers, phishing attacks, domain redirects, and more.
Hackers like brute force attacks because it can take a matter of seconds to hack into an account. Software can do most of the work in executing the attack and trying different combinations of usernames and passwords until it finds authentic login credentials.
Different Types of Brute Force Attacks
Depending on the sophistication of the criminal, they may use more or less technical brute force strategies. Different types of brute force attacks include:
Simple brute force attacks: Non-technical criminals will manually attempt to discover a user's password. This method is most effective when users have commonly used or weak passwords, like the target’s username, or simply “password.”
Dictionary attacks: Criminals will set up a bot to go through the dictionary to find the correct password. They may also include numbers and symbols to guess longer passwords.
Hybrid brute force attacks: A hybrid brute force attack uses the dictionary attack method, but it will also attempt to guess multiple words instead of a singular word. It's designed to discover more complex passwords. For example, "HelloThere123" would beat a dictionary attack, but not a hybrid attack.
Reverse brute force attacks: Hackers use common passwords against a batch of usernames or encrypted files.
Credential stuffing: Credential stuffing uses the same username and password–usually obtained through a data breach or password leak–across multiple sites and accounts. This is effective when users use identical passwords for several accounts.
How Do You Stop a Brute Force Attack?
Brute force attacks succeed against weak passwords–both at the user and organizational level. The first step to preventing a successful brute force attack is to educate employees on the importance of a strong password. You should enforce policies to ensure employees are using robust passwords for their accounts. For example, you may require:
Minimum character lengths with varied characters: Longer passwords with multiple character types are more difficult for a criminal to hack and could give your company time to respond to suspicious login activity. They’ll stump a simple brute force attack, and can significantly slow down a dictionary attack.
Multi-word passwords: One of the best ways to beat dictionary attacks is to use passwords with multiple words instead of a single word. Adding numerals or symbols will add to the complexity and keep your account more secure.
Avoid frequently used passwords: Make sure your employees know common passwords like "password" or "123456" are easier for criminals to hack. Ensure they are using passwords that are unique to them and don’t include their usernames.
Use a different password and change them regularly: Credential stuffing works when people use the same login credentials for multiple accounts. You can avoid this scenario by requiring different passwords for their accounts, with required updates.
While it's important to have employees on the same page about password security, organizations need to take it a step further and implement security protocols to protect against cybercriminal activity. Besides employee training and increasing password complexity, these organizational implements can stop brute force attacks:
Multi-factor authentication: Requiring users to verify their identity twice can stop many brute force attacks. Besides having the correct login credentials, they will also need to provide a second authentication code. This can be delivered to the person via text message, phone call, authenticator app, or token. Alternatively, they may also need to answer a question only the account owner would know or provide their biometrics.
Limited login attempts: Brute force attacks often rely on using a login page multiple times to attempt to authenticate login credentials. Organizations can configure their settings to lockout an account after a certain number of attempted login attempts. This could cause a significant delay and force hackers to move on to different targets.
Password manager: Employees often use simple passwords out of convenience. If your organization provides an effective password manager that can generate and store strong passwords, this mitigates the convenience factor.
Captcha: Captcha tools ask people to verify they are human and not robots. People will need to accomplish a task like identifying objects in a picture, clicking a checkmark, or retyping text. This extra step could stop automated brute force attacks from succeeding.
Penetration testing: Organizations should conduct a penetration test to check their company for weak passwords or security vulnerabilities.
Stop Brute Force Attacks From Your Supply Chain
Organizations should have a framework to notice suspicious activity within their network. Detecting an account takeover–internal or external–prevents potentially enormous damage to your organization.
Here’s a scenario: one of your vendors falls victim to a brute force attack. Criminals use the newly compromised account to launch supply chain attacks against that vendor’s trusted partners–which includes your organization. They can send emails with phishing schemes, ransomware attachments, or fake invoices, and they’ll appear to come from your vendor.
Email security solutions like Abnormal Security can detect and automatically block emails from compromised accounts. We analyze behavioral clues to flag any suspicious actions, including geographic changes, unusual tone and content, financial requests, and more.
Contact us today to try a demo and see how Abnormal Security can protect your organization from brute force attacks in your supply chain.