Brute Force Attack
Brute force attack is a hacking technique used to find out the User Credentials by trying out various possible credentials. It does not exploit any vulnerability in the application but tries to guess different permutations and combinations of user credentials to see if you can get any of them right.
It is a very basic trial and error method automated using a tool. It uses an array of usernames and passwords and then tries all possible combinations to find the correct credentials.
Requirements for Brute force attack:
1. Password list
2. Brute force tool (like Metasploit, Aircrack-ng, Hydra, Medusa etc.)
Username list may also be used but a single username can be input to find its correct password.
How does Brute force attack work:
Brute force tool à (Usernames & Passwords à Authentication à (Response) à Success/Failure
Each combination of Username and Password is picked by the brute force tool and tried on the web application. If the combination results in a success of log in it is stored as a correct credential, otherwise it is deleted. Then the brute force tool moves to the next possible credential combination and goes over the process for all such permutations and combinations. At the end, it returns to the hacker all the correct credentials which resulted in a success of log in
How to prevent Brute force attacks:
• Increase Password length – Hackers can generate a list of passwords by automated computing. However, if the length of your password is very long, it will take the hacker sometimes days even with the most powerful computers to make a possible list of passwords that long. This delay in trying to figure the password credentials via brute force discourages hackers
• Increase Password complexity – Adding letters, numbers, special characters, etc. increases password complexity and the chances that hacker will reach your user credentials will be extended by weeks
• Limit Login attempts – If the web application has a limit of 5-10 login attempts before it seizes the login attempts to that account, it completely rules out the possibility of hacking through brute force attack. Since Brute force works only when millions and millions of combinations are tried, limitation to a few attempts wouldn’t let that work. Also, an alert is sent to the user who may change the password instantly.
• Use OTPs – Usage of OTP along with the credential password is an effective way to prevent brute force attacks. It ensures that only a single attempt of the password has been made and on top of that, a special code sent only to the user has to be used. The OTP also has a limitation of 3-5 attempts before the account is blocked. If the OTP is accompanied by 1-2 secret questions, it is called 2-factor authentication (2FA)
• Use Captcha – Usage of Captcha dismantles the functioning of Brute force attacks as the brute force tools are not designed to fill in the captcha at every attempt of username and password that they make.