Types of brute force Penetration

Brute force attacks have been taking place for many years, and while the techniques are widely known, many companies and individuals remain vulnerable to them. Here we look at brute force penetration and what companies and their workers can do to protect themselves.

What is brute force penetration?

Brute force penetration is a technique cybercriminals use to gain access to networks and apps. The brute force attack leverages a trial-and-error approach to guessing username and password login credentials, encryption keys, and the URLs of hidden web pages.

Brute force penetration can be used to steal your personal data, spread malware, damage your website’s reputation, or hijack your systems to carry out malicious activity.

Types of brute force penetration

There are five common forms of brute force penetration:

  1. Simple – A non-automated or non-software-driven attack where the hacker uses logic to guess your credentials. Standardised passwords such as user12345 are most at risk.
  2. Dictionary – The hacker selects a target and runs through a dictionary of possible passwords, including words followed by numerical or special characters.
  3. Hybrid – The attack utilises the logic of simple attacks with the data of dictionary attacks to create likely combinations. Password attempts might include variations such as john1994.
  4. Reverse – The approach is run in reverse, starting with known leaked passwords and running millions of usernames against these until access is achieved.
  5. Credential stuffing – Username and password combinations leaked from data breaches are tested against other websites. You can read our Credential stuffing, what is it, and how to prevent it article for more information. 

Why brute force penetration works so well

Risk Management TrainingUsers notoriously do not protect their data or choose secure passwords. The difficulty of remembering different passwords for each website or creating strong passwords often leads to the same weak passwords being used against multiple networks, websites, and accounts. A lack of cybersecurity training for staff also limits risk awareness. 

Hackers take advantage of these human weaknesses and traits, and with automated tools and hacking software, attacks are often successful.

How to protect against brute force penetration

Commissioning brute force Penetration Testing is the most effective way to identify vulnerabilities and poor policies within a workplace.

Users can protect against brute force penetration by:

  • 2fa – Users should adopt two-factor authentication. The second factor could be a biometric scan (such as a fingerprint or face scan) or a physical device (such as a USB key).
  • Password managers – Users should use password managers to create and remember strong passwords.

Companies can protect against brute force penetration by:

  • Limiting the number of tries – Login attempts should be limited to just a few attempts before a timed lockout.
  • Encryption – Ensure system administrators use the highest level of encryption to ensure passwords are harder to crack.
  • Salt the hash – Passwords should be randomised with hashes containing a string of random characters. These should be held in a separate database and added to the password before it is hashed, ensuring identical passwords have different hashes. 
  • Limit login frequency – Limit login attempts to one every minute, for example, followed by an account lockdown if there are too many attempts.
  • IP denial – Use and constantly update your IP denial list.
  • Captcha – Use a Captcha to stop bot brute force attacks.

Contact our cybersecurity experts today for a consultation on brute force penetration testing.

Contact us

Related Articles

Internal Penetration Testing

Having secure online systems is essential for your company’s cyber security. One of the most effective approaches to ensuring high levels of cyber security is

Find Out More

Tips for keeping a website safe

Understanding the importance of keeping your website safe is essential; if you don’t, you are actively allowing hackers to compromise and leak your data. Hacking is becoming more commonly performed by automated scripts written to scour the internet to exploit known website security issues in software.

Find Out More

Website Penetration Testing

Omnicyber provides web app penetration testing services to identify vulnerabilities in all your online products or data stored in the cloud. This includes making sure your website is protected and that you are well informed about the most common types of website vulnerabilities and how you can prevent cyber attacks.

Find Out More