menu
close_24px

Brute Force Attack

A brute force attack is a hacking technique used to find out the User Credentials by trying out various possible credentials. It does not exploit any vulnerability in the application but tries to guess different permutations and combinations of user credentials to see if you can get any of them right.

It is a very basic trial and error method automated using a tool. It uses an array of usernames and passwords and then tries all possible combinations to find the correct credentials.

Requirements for a brute force attack

1. Password list

2. Brute force tool (like Metasploit, Aircrack-ng, Hydra, Medusa, etc.)

A username list may also be used, but the correct password can be found by entering a single username.

How does a brute force attack work?

Brute force tool à (Usernames & Passwords à Authentication à (Response) à Success/Failure

The brute force tool picks up each combination of username and password and tries it on the web application. If the combination succeeds in logging in, it is stored as a correct credential; otherwise, it is deleted. Then, the brute force tool moves to the following possible credential combinations and goes over the process for all such permutations and combinations. In the end, it returns all the correct credentials to the hacker, resulting in a successful login.

How to prevent brute force attacks?

Increase password lengthHackers can generate a list of passwords using automated computing. However, if your password is very long, it will take the hacker days, even with the most powerful computers, to make a list that long. This delay in trying to figure out the password credentials via brute force discourages hackers. Secure your password in the middle of 300 billion.

Increase password complexity – Adding letters, numbers, special characters, etc. increases password complexity, and the chances that hackers will reach your user credentials will be extended by weeks

Limit login attempts – If the web application has a limit of 5-10 login attempts before it seizes the login attempts to that account, it completely rules out the possibility of hacking through brute force attack. Since Brute force works only when millions and millions of combinations are tried, limiting a few attempts wouldn’t let that work. Also, an alert is sent to the user, who can change the password instantly.

Use OTPs – OTP and credential passwords are effective ways to prevent brute force attacks. It ensures that only a single attempt at the password has been made, and on top of that, a special code sent only to the user has to be used. The OTP is also limited to 3-5 attempts before the account is blocked. If 1-2 secret questions accompany the OTP, it is called 2-factor authentication (2FA)

Use captcha—The use of captcha dismantles brute-force attacks, as brute-force tools are not designed to fill in the captcha at every attempt of username and password that they make.