What is a Brute Force Password attack?
Following on from our Password Policy, we take a look at one of the most popular ways to breach an organisations security. Brute Force Attacks. This method is regularly used by Penetration Testers (White Hat Hackers) to test an organisations network security. In a Brute Force Attack an automated software is used to generate word combinations and attempt to breach using as many guesses as possible. This is the reason you now see Captcha's on most websites and accounts locking after a certain number of password attempts. This is also why law enforcement struggle to get into locked phones. Encrypted data can also be accessed by successful brute force attacks as DES (Data Encryption Standard) keys can be also infiltrated via this attack. To determine whether it is an AI (artificial intelligence), it is now standard practise to enforce a captcha utilising the Turin Test.
Social engineering comes hand in hand with Brute Force attacks. A social engineered attack could be a hacker downloading all your social media data and building a data dictionary of all your key words and combinations from your online presence. This can include regular mentions of pet names, family or even musicians you like. By building a dictionary of all your 'favourite' key terms, and also using a regular dictionary, a hacker is able to crack a password with relative ease (should the password be short). This is why organisations are advised to enforce regular password changes.
Brute Force can be very resource heavy and time consuming as it tries all possible legal characters in sequence. Having multiple systems attack a target can help reduce this time, but by then, an organisation should have security in place to alert them of such an attempt. Examples of tools include L0phtcrack from L0pht Heavy Industries which starts by making assumptions on the type of organisation and common knowledge available on the internet before utilising its Brute Force dictionary.
Reverse Brute Force
But what if you know the password but not the username? Reverse Brute force is another term for password cracking where an attacker will try one password across multiple user names. The main targets will always be websites, software or protocols that do not block failed attempts after a certain amount. Reverse Brute Forced is usually associated with the social engineering attack called Shoulder Surfing. This is where in a crowded place, someone will see you type a password to a site.
A strong password policy is the best way to combat against Brute Force attacks. It can take a system using Brute Force years to crack some passwords, and by then your password should have been changed multiple times. Implementing account lockouts and tracking all attempts to log on will help ensure you are aware of all the threats your web services are facing. Brute-force is also used to crack the hash and guess a password from a given hash. In this, the hash is generated from random passwords and then this hash is matched with a target hash until the attacker finds the correct one. Therefore, the higher the type of encryption (64-bit, 128-bit or 256-bit encryption) used to encrypt the password, the longer it can take to break.
Stephen Chapendama, Bantu Tech.