What is Brute Force?
In computer science, brute forcing is a problem-solving approach that requires systematically enumerating through and evaluating possible solutions. By definition, a brute force algorithm is a simple (and usually inefficient) way to find an answer to a problem.
In cybersecurity, brute force means that a hacker is waging an attack using brute-force methods. It can be an adjective (“a brute force attack”) or a verb (“to brute-force a system”).
What is a Brute Force Attack?
In a brute force attack, a hacker uses brute forcing to attempt to gain unauthorized access to a system. The attacker systematically iterates through a variety of possible user credentials (combinations of user names and passwords) and seeing which, if any, will allow the attacker to successfully log into the targeted environment.
Because brute-forcing requires the attacker to quickly test large numbers of potential credential sets, these attacks are almost always performed with automated software bots.
Brute Force Methods
There are several varieties of brute force attacks. The most important are simple brute forcing, dictionary attacks, reverse brute force, and credential stuffing.
What is a Simple Brute Force Attack?
In a simple brute force attack, the hacker simply iterates through a variety of possible user credentials, submitting them all to the targeted system without trying to filter them for their likelihood of success.
This is a crude and inefficient technique, requiring a lot of resources from the attacker. It is much less common today than it was in the past.
What is a Dictionary Attack?
In a dictionary attack, the hacker uses a ‘dictionary’ of commonly-used values when testing potential credential sets. For example, lists of the most common passwords are widely available, and are often utilized by hackers for this purpose.
By using a dictionary, attackers can greatly reduce the time and resources required to wage a successful brute-force attack.
What is a Reverse Brute Force Attack?
In many brute force events, attackers already know (or can guess) user names, and so they try to discover the associated passwords.
A reverse brute force is the opposite approach. Here, attackers use known or common passwords, and try to find the usernames associated with them.
What is Credential Stuffing?
Credential stuffing means that an attacker has a list of valid credential sets from another system. (Typically, this list would be obtained during a breach of a different network, or purchased on the darkweb from the hacker who performed the breach.)
In a credential stuffing attack, hackers merely iterate through this list, and “stuff” each credential into the login form or portal of the system they are targeting.
Many Internet users today still use the same combination of user name and password across multiple systems. As a result, credential stuffing can have a relatively high probability of success for the attackers, unless the targeted system has robust defenses against brute forcing (see below).
How to Protect Against Brute Force Attacks
In today’s threat environment, brute force attacks are common. Organizations must follow best practices for hardening their systems against them.
Publish and enforce strong credential policies. Unfortunately, many sites still have simplistic requirements for usernames and/or passwords, and this can encourage brute forcing. For example, if a threat actor knows that usernames and passwords are case-insensitive and only eight characters long, this makes a brute force attack trivial, and hackers will be motivated to attempt to crack the system.
Make your system an unattractive target. For example, if the login process for a web application includes a robust form of MFA (multi-factor authentication), it can be helpful to make this known in a prominent way. Threat actors who notice this will be deterred, because a brute force approach alone will be unable to successfully access the system.
Use a web security solution with robust defenses against ATO (Account Takeover). Brute-forcing is only a subset of the broader category of ATO attacks. To secure user accounts against hackers and bots, organizations must use a web security solution with strong ATO prevention capabilities, including hostile bot management, advanced rate limiting, and behavioral analysis. It’s also important that the solution includes API security, because brute-forcing against APIs is growing common today.