Brute forece attack

What is a Brute force attack?

August 29, 2020
A brute force attack uses trial and error to guess login information such as passwords with the hope of eventually guessing it correctly.

A brute-force attack, in theory, can be used to decrypt any encrypted data. A brute-force attack might be used when it is not possible to take advantage of other weaknesses in an encryption system. When it comes to guessing short passwords brute force attacks can be quick and efficient. But for longer passwords, it can take exponentially more time to crack. For longer passwords, attackers like to use dictionary attacks which is a type of brute force attack. Attackers simply try a dictionary of passwords until the correct one is used.

What resources are needed for a Brute force attack?

The resources required for a brute-force attack depend on the key size and therefore exponentially increase depending on that key size. Modern symmetric algorithms typically use strong 128 to 256-bit keys requiring fast and resource-heavy computing equipment. However the graphics processing unit (GPU) technology, that benefits from wide spread availability and price for performance, has proven very capable in the brute force attack of certain ciphers.

How can brute force attacks be prevented?

In the case of online attacks, countermeasures can be taken against brute force attacks, for example by limiting the number of attempts that a password can be tried, by introducing time delays between attempts, increasing the answer's complexity (e.g. requiring a CAPTCHA answer or multifactor authentication), and locking accounts out after a set amount of unsuccessful login attempts. Additionally, a particular IP address maybe attempting a brute force attack in which case that IP address can be blocked.

What is a Dictionary attack?

A dictionary attack is a form of brute force attack used to guess login information by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords. The passwords used to guess login information are often obtained from lists of leaked passwords from past security breaches.

Was a Brute force attack or Dictionary attack ever used in the real world?

Yes actually on Sunday January 4th, 2009, a hacker known as GMZ, found out that Twitter did not report or lock out any IP addresses that had any number of failed login attempts, so he developed a tool to launch a brute force attack/dictionary attack against the account of a Twitter administrator named Crystal. The program ran for several hours overnight automatically trying different words, the password turned out to be 'happiness'. When “he checked the results Monday morning at around 11:00 a.m, he found he was in Crystal’s account.” He was then able to compromise several high-profile accounts by resetting their passwords. Some of these accounts included President Barack Obama, Britney Spears, CBS News and Fox News.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance