What is brute force penetration?
Brute force penetration is a technique cybercriminals use to gain access to networks and apps. The brute force attack leverages a trial-and-error approach to guessing username and password login credentials, encryption keys, and the URLs of hidden web pages.
Types of brute force penetration
There are five common forms of brute force penetration:
- Simple – A non-automated or non-software-driven attack where the hacker uses logic to guess your credentials. Standardised passwords such as user12345 are most at risk.
- Dictionary – The hacker selects a target and runs through a dictionary of possible passwords, including words followed by numerical or special characters.
- Hybrid – The attack utilises the logic of simple attacks with the data of dictionary attacks to create likely combinations. Password attempts might include variations such as john1994.
- Reverse – The approach is run in reverse, starting with known leaked passwords and running millions of usernames against these until access is achieved.
- Credential stuffing – Username and password combinations leaked from data breaches are tested against other websites.
Why brute force penetration works so well
Risk Management Training – Users notoriously do not protect their data or choose secure passwords. The difficulty of remembering different passwords for each website or creating strong passwords often leads to the same weak passwords being used against multiple networks, websites, and accounts. A lack of cybersecurity training for staff also limits risk awareness.
Hackers take advantage of these human weaknesses and traits, and with automated tools and hacking software, attacks are often successful.
How to protect against brute force penetration
Commissioning penetration testing is the most effective way to identify vulnerabilities and poor policies within a workplace.
Users can protect against brute force penetration by:
- MFA – Users should adopt multi-factor authentication. The second factor could be a biometric scan (such as a fingerprint or face scan) or a physical device (such as a push notification to a mobile phone).
- Password managers – Users should use password managers to create and remember strong passwords.
Companies can protect themselves by:
- Limiting the number of tries – Login attempts should be limited to just a few attempts before a timed lockout.
- Encryption – Ensure system administrators use the highest level of encryption to ensure passwords are harder to crack.
- Salt the hash – Passwords should be randomised with hashes containing a string of random characters. These should be held in a separate database and added to the password before it is hashed, ensuring identical passwords have different hashes.
- Limit login frequency – Limit login attempts to one every minute, for example, followed by an account lockdown if there are too many attempts.
- IP denial – Use and constantly update your IP denial list.
- Captcha – Use a Captcha to stop bot brute force attacks.