Brute force is certainly one of the most trivial attack techniques. The main reason: the human factor remains the weakest link in the cybersecurity chain. Indeed, there is no need to carry out social engineering attacks or sophisticated SQL injection attacks to steal credentials because habits die hard: users’ passwords remain weak and therefore easy to guess. With the right tools, even the most novice attackers can compromise data and cripple the systems of large companies.
However, it would be unfair to put the blame solely on the users, because even before an attack targeting their credentials, they are often already victims of ineffective or even counterproductive security policies. And even in the companies that are most aware of the risks of brute force attacks, the mechanisms and protective measures implemented are most of the time insufficient. We will come back to this subject in the heart of our article because there are still many preconceived ideas about brute force, which, spoiler alert! is not only used to bypass authentication systems by guessing passwords and user IDs.
Let’s get to the heart of the matter with this article, which aims to analyse these various biases and present the essential measures for preventing or countering the various types of brute force attacks.
What is a brute force attack?
A brute force attack is a trial-and-error process used to guess credentials (IDs/passwords or encryption keys) in order to gain unauthorised access to a system. It involves starting with one login and trying several password combinations or, conversely, using several logins against one password.
However, brute force is not just that, contrary to popular belief. For information, it is certainly the technique that we use most often during our penetration tests on all types of targets, as the possible exploits are so numerous. Indeed, as indicated in the preamble, brute force attacks are not only used to guess IDs or passwords. They are often used as vectors to launch other attacks and exploit the vulnerabilities of certain systems:
- Access control issues (IDOR) by guessing credentials in case of lack of access control allowing access to data or files, etc.
- Fuzzing (content search) via the use of a dictionary to find files not listed on an application interface for example.
- User enumeration in case of misconfigurations providing other options to an attacker such as targeting users with phishing for example.
In fact, brute force attacks are widespread and widely used by pentesters and attackers alike because they can take advantage of a plethora of security holes. And to make matters worse, they are very easy to execute with tools (BURP, HYDRA, John the Ripper, etc.), automation scripts and password databases (dictionaries).
Finally, let’s face it, brute force attacks are relatively effective because users still use weak passwords too often, and cracking them is still the most common use case.
What are the different types of brute force attacks?
There are several types of brute force attacks: dictionary attacks, password spraying and credential stuffing.
In this type of attack, all the words in a dictionary are tested to find a password or files (in the context of fuzzing). Moreover, it is not a question here of testing the words of ordinary dictionaries but of real databases (such as RockYou or SecLists for example) resulting from numerous studies and analyses of user and developer habits and constantly updated. In addition, attackers can configure the tools used for brute force to add numbers, characters and other elements to test many more complex possibilities.
Password spraying attacks
Password spraying is another variant of brute force attack. In this case, an attacker tests commonly used passwords to gain access to one or more user accounts. Traditional brute force attacks attempt to gain unauthorised access to a single account by guessing the password. This can quickly result in the targeted account being locked out, as commonly used account lockout policies typically allow a limited number of unsuccessful attempts. And this is still a bad idea, and we’ll come back to this point a little later in our best practices.
Thus, password spraying attacks are not only attempts to avoid this type of security mechanism but are very effective. Attackers assume that within a large group of people, there is likely to be at least one person who uses a common password, and unfortunately this is all too often the case. Indeed, logins in passwords, the name of the company or application followed by the year and a punctuation mark (usually an exclamation mark) are common practice and known to attackers.
Unlike dictionary attacks or password spraying, credential stuffing occurs after a user account has been compromised when an attacker guesses a valid username and password combination for access to a given system. In this case, an attacker tries the same combination on other systems, assuming that users usually use the same password for several sites, which is unfortunately often true.
For a company, a brute force attack can have disastrous consequences: theft, data leakage or alteration, financial losses, damage to reputation, delays and errors in operations, etc. It is therefore important to implement the necessary technical measures to prevent or counter this type of attack.
How to prevent or counter brute force attacks?
Implement an effective password policy
Countering a brute force attack necessarily involves implementing an effective password policy. To do this, the “size” factor alone is essential, because the longer a password is, the more difficult it will be to guess via a brute force attack.
However, this criteria is still too often ignored by the companies in charge of implementing these password policies and users are fed and forced by counterproductive or even dangerous instructions in terms of security. Indeed, guidelines such as: minimum length of at least 8 characters including at least one capital letter, one number and one special character, are outdated and misleading.
For example, let’s take the following password: Mypassword1! If we follow the guidelines above, this password is considered secure when it is not. Indeed, it is much easier to guess via a brute force attack than the following password: luckyyouifyoucanguessmypassword, which contains no numbers, capitals or special characters. So length is the watchword for defining a secure password (15 to 20 characters regardless of the type of characters), as this reduces the chances of being guessed. And, of course, you should avoid strings of characters (such as 12345678910111213), that goes without saying.
Also, it must be assumed that an attacker does not perform this type of technique manually, by entering passwords one by one, even if this can happen for default passwords. Indeed, many web applications and frameworks create default users during installation (id: admin / password: admin being a common case). If these user accounts are not deleted or modified, they are easy targets for a brute force attack, which therefore usually relies on automated tools to perform thousands of queries per minute with credentials generated from a long list of possible values (dictionary attacks, remember?).
Finally, let’s talk about expiration policies, which aim to encourage frequent password changes to prevent potential leaks. At first glance, this seems like a good security measure. However, an analysis of user behaviour shows a very different reality. Indeed, most of the time, users simply create another password that is not secure because it is easy for attackers to crack. It is therefore recommended to ban these password expiration policies and simply encourage users to choose a sufficiently long and complex password.
There are many ways to raise awareness among employees. One of them is to make them responsible by inviting them to check at a certain frequency whether their passwords, logins, phone numbers have not been compromised and disclosed in a data leak. Tools such as Have I Been Pwned? facilitate this verification and also offer the possibility for companies to sign up to receive alerts in case of data leaks. A web and dark web audit can also be considered in order to identify its attack surface and therefore possible data leaks on the clear or dark web.
Do not disable accounts after failed login attempts
Another common defence strategy against a brute force attack is to automatically disable an account after a certain number of failed login attempts. In most cases, the account can be reactivated automatically after a certain period of time, or the user may have to contact the administrator to have the account reactivated. In either case, automatic disabling of user accounts is a poor security mechanism to counter a brute force attack.
Firstly, by disabling accounts, the system has traded an authentication bypass vulnerability for the possibility of DoS (denial of service) attack. Indeed, if an attacker can disable an account after 3 unsuccessful attempts every 30 minutes for example, he can effectively prevent that user from accessing the system. Imagine the damage a brute force attack could do if used against an administrator account with such a mechanism in place.
Secondly, account locking is ineffective against password spraying attacks or some dictionary attacks, which focus on passwords, because this mechanism assumes that the attacker keeps the username and tries to guess the password. In these cases, an attacker could make thousands of login attempts, and even if each one fails, the system will only record one incorrect login per account.
Set a delay after each failed login attempt
A better technique to counter brute force attacks is to gradually delay the response of the page after failed login attempts. After the first failed login attempt, for example, the response will be delayed by one second. After the second failed connection, the response is delayed by two seconds, and so on.
Implementing this type of technique, known as incremental delay, can render automated brute force tools completely ineffective, as the time required to make attempts will be greatly increased.
Implement a multi-factor authentication
Adding an additional authentication factor also makes it more difficult for an attacker to crack an account via a brute force attack. With a 2FA in place, an attacker will face another barrier, often very difficult or impossible to guess for a randomly generated code with a limited duration for example, and will not be able to log into a user’s account, even if they enter the correct username and password.
For more information, you can read our dedicated article: How 2 factor authentication works and how to implement it?.
Use a robust algorithm to store passwords
The storage of user passwords in a database must be done in a secure manner. Indeed, if this database is compromised, all the passwords will be accessible if they are stored in clear text. The storage of passwords in clear text must be absolutely prohibited.
It is therefore important to use a robust algorithm to store passwords. For more details, we have dealt with the subject at length in a dedicated article, which we urge you to consult: How to securely store passwords in a database?
Monitor all user events
Monitoring user activity and events within your network does not counter brute force attacks, but it is an essential part of a good security strategy. Indeed, with an efficient monitoring it is possible – among other things – to detect unusual events such as repetitive access requests.
For more information, you can consult our dedicated article: Logging and monitoring, definitions and best practices.
Customise error messages
Finally, it is important to create appropriate error messages in response to failed login attempts, as this is often one of the success factors of a brute force attack. In fact, it is important not to make it easier for attackers to gain valuable information and therefore save time with messages such as “user not found” or “incorrect password”.
Indeed, a “user not found” message tells an attacker that the user ID he is trying to guess via brute force does not exist in the system. On the other hand, the “Incorrect password” information tells him that the user ID does exist, but that the password is incorrect.
Thus, it is safer for an application to respond with an “obscure” message such as “Incorrect username or password” when a login attempt fails to give any clues to a potential attacker.
Conclusion: to counter brute force attacks, it’s the size that matters!
Password authentication is still the most common way to grant access. However, as low-tech as they may be, brute force attacks are very effective in compromising applications. Appropriate security mechanisms must therefore be implemented.
The first and foremost method of thwarting a brute force attack is to require all users to choose a strong password. To do this, it is definitely a question of size! Passwords should be long (15 to 20 characters, with no limit on the maximum size). In fact, there are no guidelines such as: length of at least 8 characters with a mix of upper and lower case letters, numbers and punctuation marks. And there is nothing like a password manager to implement or reinforce a password policy.
Finally, it is important not to make the work of attackers easier. Thus, procedures for frequent password changes, account deactivation mechanisms or generic messages of failed login attempts must be avoided.