Burte force attack is a method used to guess username and password combination continuously until the valid login is discovered. Hackers use password cracking software to guess all possible passwords for a known username to gain access to the target system.

What are the tools for carrying out brute force attacks?

Brute force attack is guessing every combination of username and password until a valid one is identified. To carry out brute force attacks, you'll need an automated software tool to continuously log in to the target system until it is successful. The tool must be intelligent enough to guess the passwords from studying human behaviors to correctly guess the passwords and gain access. As most of us are having difficulty remembering random passwords, we often create a short password that is easy to remember. The password cracking tools begin with breached passwords and make intelligent guesses by using deviations of those passwords found. A few examples of password cracking software include Aircrack-ng, John the Ripper, L0phtcrack, and RainbowCrack.

Since the attacker must try millions of username and password combinations, it takes a lot of computing resources to carry out the attacks and it could take months and years to uncover moderate passwords. Some systems limit number of failed attempts within a specified period to defend against brute force attacks. This will not completely block brute force attacks, but locking out a user or banning IP may discourage hackers from attacking such targets.

What type of brute force attacks are there?

There are several types of brute force attacks with the common goal of uncovering someone else's login credentials. The ultimate goal is to make educated guesses to determine a login in the shortest possible time and minimum computing efforts. The following are popular brute force methods.

• Simple Attacks: There are a handful number of commonly used passwords like '123456', 'password', 'qwerty', '111111', 'admin' and 'abc123'. Simple attacks merely try those popular passwords without using software tools to reveal credentials.
• Dictionary Attacks: With a known username such as 'administrator', 'root' and 'admin', the cracking tool uses every permutation of dictionary words with commonly used symbols and their variations to uncover the password. This is a very basic brute force attack, and this is used in the early days but still being used.
• Hybrid attacks: Hybrid uses both dictionary words and breached passwords to make educated guesses of passwords that many users are using. Hybrid attacks are good at determining password phrases that are commonly used. This is one of the most popular brute force attacks being used today.
• Credential Stuffing: We often use same username and password on multiple websites. When a hacker steals credentials from one website, they will try the same combination on thousands of other websites to uncover more accounts.

Why use brute force attacks to steal login credentials?

Brute force attack is used to steal credentials to online accounts, and once stolen hackers use it to make money by doing one of the following:

• Obtain personal information such as name, address, phone number and SSN, and use them on identify theft or open other online accounts to disguise themselves.
• Sell stolen credentials on dark web.
• Sabatoage someone else's server to send bulk spam emails or use it for phishing purposes.
• Use someone else's credentials to perform illegal activities (malware, hijacking and other malicious activities).
• Publish advertisements on someone else's website and monetize the earnings.

How to protect from brute force attacks?

To keep your online identity safe, you must take precautions and defend yourself by following the best practices recommended by online security professionals. The following describes a few:

• Do not use default usernames. Every software, hardware, or online accounts come with a default username. WordPress, Windows, Linux, and Routers come with default usernames (and passwords). Do not use the default username (and password) provided by the software or manufacturer. They are the easiest target of brute force attacks.
• Remove accounts that are unused or no longer used. Users come and go, and accounts keep growing without limits. As an admin, perform routine maintenance and clean up accounts that are no longer used.
• If you have an ability to define password encryption, use the strongest encryption such as AES in 256-bits.
• Use strong passwords that are at least 16-characters with numbers and symbols. Also, do not reuse your password in multiple accounts. As a human being, it is next to impossible to remember 16-character passwords with numbers and symbols for every account we use. Use a password manager to help manage your passwords and create strong passwords. There are a handful number of free password managers you can use including browser built-in Google password manager and Apple iCloud Keychain. There are also several third-party password managers that offer free versions, so there is no reason not to use a password manager.
• Use 2FA. Two-factor authentication enhances our online security to the next level, and no one will be able to access your account without your permission. The first authentication (username/password) is from what you know, but 2FA will authenticate you by what you are (biometric - fingerprint or face recognition) or what you have (smartphones, tablets, or hardware dongles).

Online service providers can implement additional security measures to improve user security and discourage hackers from running brute force attacks. The following security features can be implemented.

• Lockout Policy: Locking out user account after a number of failed attempts will enhance security. However, this requires an additional management feature to "remove" locks as legitimate users won't be able to login because some third-party hackers attempt to login into user accounts. Removing locks automatically after a predetermined time (i.e. 15-minute, or 30-minute) will lessen the administrative tasks.
• Progressive Delays: Along with the lockout policy, the amount of locked period will be longer each time failed attempts continues. The delay can begin with 15-minutes, 30-minutes, an hour and then continue on to a longer period.
• Captcha / reCaptcha: To prevent a bot from logging into the system, a service provider can implement a captcha (or Google's reCaptcha) to prevent bots from logging in.
• Enforce strong passwords: By enforcing users to use a strong password, users won't be able to use weak passwords. The problem this may have cause is that the users may forget their passwords, and have difficulty logging in. The provider must provide an alternate way to retrieve (or reset) passwords.
• Implement 2FA: Adding 2FA greatly enhances user security. However, users must enable this functionality to make it useful. Unless you're a financial institution, it's very difficult to mandate 2FA at the current moment.