What is a Brute Force Attack and Why You Should Care?
A brute force attack is a commonly used attack for cracking passwords. These attacks are the cyber-equivalent of a situation we often see in movies: a door is locked, and a character has a key ring with no idea of which key fits into the lock. Time is running out. The owner will be there any moment now. So, the person tries one key after another, quickly, till one key fits.
That’s a brute force attack for you. The attackers keep trying multiple combinations of usernames and passwords till they find one that works.
It’s pure trial and error
A brute force attack is a traditional and a comparatively “unsophisticated” attack method, but it is still widely used. According to Verizon’s data breach investigation report, 80% of breaches involved the use of brute force, meaning utilizing stolen or brute-forced credentials.
Despite all the guess work involved zeroing in on login info, encryption keys or finding a hidden web page, brute force attacks are still a popularly used attack technique, because they work. The name comes from the nature of the technique, because there is little to no sophistication in the attack. The attackers are trying to ‘force’ their way into your private account.
Just to be clear, attackers are not manually coming up with and entering these password combinations. They use powerful advanced tools to launch such attacks. Combine this with ever-evolving and easily available software/tools that help perform brute force attacks, and you have a scenario tailor-made for their use.
Types of brute force attacks
Traditional or simple brute force attacks: These are the guesswork attacks. Attackers guess credentials without the use of software tools (and yes, these are successful at times, because so often, users don’t use password best practices and choose easily guessed passwords).
Dictionary attacks: Here, an attack identifies a specific target and cycles through multiple password combinations sources through a dictionary or commonly used passwords unearthed through data breaches.
Reverse brute force attack: This is a brute force attack in reverse, meaning attackers don’t zero in on a target (username), but identify a common password and run through millions of usernames to match with that password. Leaked passwords are easily available on the dark web that were a result of existing data breaches, and attackers leverage these to launch reverse brute force attacks.
Hybrid brute force attacks: In this case, attackers don’t just use manual guesswork to crack passwords, but also add advanced tools to the mix to work out passwords that are mix of words, characters and numbers.
How does a brute force attack work?
The concept of ‘simple brute force attacks’ might have conjured up images of a brilliant hacker working out password combinations with a pen a paper.
It’s far less dramatic than that, because cybercriminals are busy individuals. They typically use scripts or bots to launch an attack against a website or the login page of an application. Serious hackers will employ a series of tools to run through a truckload of password combinations in order to crack passwords.
This is only the first step. The real objective of a brute force attack is to access a user’s personal and sensitive information, which can then be used to access privileged accounts and get inside an organization’s network.
The difference between brute force and DoS/DDoS attacks
As we said at the start, a brute force attack is launched specifically to gain user credentials and is more a trial-and-error effort using guesswork to crack passwords. A Denial-of Service (DOS) attack is intended to shut down a website/system so that users are unable to access it. This is done by sending junk requests to overwhelming the site/system. The objective of a Distributed-Denial-of Services (DDoS) is the same, but rather than a single source of junk requests, the attackers use a botnet to launch DoS attack, which means useless traffic is sent from multiple computers (aka zombie computers).
Why you should care?
According to the 2020 Threat Report released by Sophos Labs, internet-facing services are under a growing threat in which attackers are attempting brute-force methods to access home routers, DSL/cable modems and more. Like it or not, you are in the line of fire. You might ‘believe’ your PC or Mac is unimportant and beneath notice of a cyberattack, but you’re wrong.
Also, the work-from-home model has resulted in increased instances of brute force attacks. With companies across the globe shifting to remote work, cybercriminals see an opportunity. Phishing emails exploiting pandemic fears were already on the rise, and now attacks are being levelled against “unprotected” home computers that employees might be using for work purposes. The very fact that attackers see your Windows or Mac as ‘unprotected’ means they can be a prime target for brute force attacks.
Say no to a legacy approach to protecting passwords
Traditionally, protecting against brute force attacks meant using a complicated password and using a password manager to store these passwords. Unfortunately, commercial password managers come under the fire of brute force attacks, and you can’t depend on them to protect your passwords.
If you want comprehensive protection against brute force attacks, the ideal solution is to invest in an advanced antivirus solution. Sophos Home encrypts your keystrokes to ensure cybercriminals and keylogger software cannot capture your logins and passwords.
With its superior web protection, Sophos Home blocks bad or compromised sites, including phishing sites, for a safe browsing, banking, and shopping experience.
At the end of the day, remember that cybercriminals consider your home computer fair game. With the right security awareness, you’ll be in a better place to protect your computer and personal information falling into the wrong hands.