What Is Brute-Force And How to Stay Safe?

by Denis Metev

We finally found the answer to the meaning of life question, but there’s a small problem – it’s on your roommate John’s computer. He even made a folder on the desktop “The meaning of life is…”, but it’s encrypted with a password.

A voice in your head whispers: “brute-force attack”.

What is brute force?”, you ask yourself. “And who said that?”

Trying not to pay attention to the latter question, you go ahead and ask John: “Hey, could you please tell me the password? I also want to know the meaning of life.”

John refused and went off to work. Just kidding, he doesn’t have a job.

Apart from annoying you, that is. He did go out to buy some beer, though, so you have time to figure out the password.

Brute-force attack”, the voice insists.

It’s not “John123”, nor “beer4me”. You’ve called his mom, but it’s also not “Ilovegingercookies”. Certainly surprising.  There are millions of combinations.

What do you do?

(BRUTE-FORCE… Okay, okay – you interrupt the voice and start a google search)

You Find Some Curios Brute-Forcing Facts:

  • Hacking attempts using brute force or dictionary attacks have increased by 400% in 2017.
  • 86% of subscribers use passwords, already leaked in other data breaches and available to attackers in plain text.
  • “123456789” can be cracked 431 times during the blink of an eye, but “A23456789” takes around 40 years to crack.
  • It may take around 30-40 thousand years for a 12-digit password to be brute-forced.
  • Brute force attacks use quadrillion of combinations to hijack your password.
  • More than 290 000 people use the password “123456”.

Incorrect password meme

What Is the Definition of Brute Force?

Brute forcing is an exhaustive search method, which tries all possibilities to reach the solution of a problem. Without being able to guess or get the password – the remaining option is to… break it.

Brute force hacking uses a calculation algorithm that tests all possible password combinations, thus as the password’s length increases, so does the time it takes to break it.

This is why brute force password attacks may take hundreds or even millions of years to complete.

Wonder How Long It Will Take to Break Your Password? 

Just avoid bragging about it by posting the actual password. And do change it, if it turns out it’s too easy. Now we need to talk about the

Types of Brute Force Attacks

While each brute force attack has the same goal – different methods are used. The most common one is the

Dictionary Attack

This one goes through all the words in the dictionary to find the password. Commonly used passwords and phrases are also included in the search, so if your password is “password” or “123456”, it will take a couple of seconds to crack it.

Password guessing

Reverse Brute Force Attacks

These take place when the attacker has your password, but not your username. It uses the same method as a normal brute force attack.

It is possible to launch an attack for both username and password, but it will take even more time – rendering the chances of success even slimmer.

Credential Recycling

This is an attack, where the hacker takes advantage of an already breached password. If someone can steal your YouTube password, they will certainly try accessing your Facebook, Twitter, etc. with the same credentials.

It’s best to use a unique password for every online account you have. It could be frustrating to remember all these details, though. Luckily we have password managers for that, some of them are even free.

How to Brute Force?

The brute force definition makes it really obvious how it can be pulled off. With some reading, you really need very little to actually do damage. There’s an abundance of different software for the purpose, too. Let’s have a look at some of it.

John the Ripper

is a popular brute force attack tool, which has been a favorite for a long time. It’s absolutely free and supports 15 different platforms – Windows, DOS, OpenVMS, Unix, etc. John the Ripper has various password cracking-features and can perform dictionary attacks.

Rainbow Crack

This one is a bit different from other brute-forcing tools because it generates rainbow tables that are pre-computed. This helps reduce the time in performing the attack. The tool is still in active development and is available for Windows and Linux OS. 

Cain and Abel

You can use this approach for network sniffing, recording VoIP conversations, decoding scrambled passwords and more. Antivirus software like Avast detects it as malware, so you should block your antivirus before starting.

DaveGrohl

A brute force attack tool for Mac OS. It’s open-source and has a mode that lets you perform attacks from multiple computers on the same password. This makes the password guesser even faster.

Crack

One of the oldest password cracking tools. It works only with the UNIX system. Its strategies include checking weak passwords and performing dictionary attacks.

Hashcat

It claims to be the fastest CPU based password cracking tool. It can be used on Windows, Linux and Mac platforms and is completely free. Widely renown for the vast array of options it comes with – dictionary, brute force, hybrid attacks and more. Hashcat uses more than 230 algorithms.

Aircrack-ng

This is a popular wireless password guesser, which is available for Windows and Linux and has also been ported to run on iOS and Android. With the tool, you can effectively find the password of a wireless network.

Now You Know the Tools, but There’s More…

Having improved CPU (Central Processing Unit) and GPU (Graphics Processing Unit) can greatly benefit a brute force attack.

The number of tries you can make per second are crucial to the process. A CPU core is generally much faster than a GPU core, but a GPU is excellent at processing mathematical calculations. More GPUs can increase your speed without any upper limit.

For example, to break an 8 character password on a CPU, it will take (1.7*10^-6 * 52^8) seconds / 2, or 1.44 years. On a GPU, this would only take about 5 days. On a supercomputer, this would take 7.6 minutes.

“Just Because You’re Paranoid Doesn’t Mean They Aren’t After You.”, Said Joseph Heller, so…

Here Are Some Brute Force Attack Prevention Tips

We’re still waiting for something on this planet to be completely protected. In the meantime, you can combine a couple of security measures.

Captcha

is a way of recognizing whether a computer or human is trying to login. You’ve ticked the “I’m not a robot” field numerous times, surely. It makes sense now. But computers are smart. There are ways to teach the machine to simulate human behavior. Using captcha on its own won’t do the trick.

Two-Step Authentication

is another useful way to ensure your privacy. The authentication commonly comes in the form of a code sent to your mobile. Just make sure not to lose your phone.

Limiting Login Attempts

can add an additional layer of security. Web-based servers start showing captchas if you hit the wrong password three times or more. They may even block your IP address. This will make brute-forcing even slower or entirely useless.

Encryption

It’s essential to have a strong encryption algorithm like SHA-512. Make sure you’re not using an old algorithm with known weaknesses.

256-bit encryption is one of the most secure encryption methods, so it’s definitely the way to go. 256-bit encryption crack time by brute force requires 2128 times more computational power to match that of a 128-bit key.

And the Last Step Is P@$sw0rd-101 Complexity, of course.

Combine all of the above and you will be as safe as possible. Educating your personnel on the topic will also increase the chance of brute force attack prevention.

Now you have the knowledge. You’ve managed to launch a brute force attack on John’s computer. Just in time.

(the voice is happy)

It only takes a couple of seconds and his password is cracked. “DAdams” – not that secure – finally you open the folder and see that the meaning of life is… 42

Really, John?

On the positive side, you’ve learned
what brute force is and how to use a brute force attack

FAQ

Q: How Does a Brute Force Attack Work?

A: The principle is very simple. It guesses passwords using speed and calculations made by the computer.

Q: How Fast Is It to Brute Force a Password?

A: It depends on your password difficulty and other security features you might have. Brute force may take a second or thousands of years.

Q: What Is the Best Protection Against a Brute Force Attack?

A: A combination of password complexity, limited login attempts, captcha, encryption algorithm and two-step authentication will provide the best possible protection.

Q: Which Are the Best Brute Force Attack Tools?

A: There’s a variety of good software you can use – John the Ripper, Cain and Abel, Crack, OphCrack, THC Hydra, etc. Be sure to check the specific requirements before using any of the tools.

Q: What Is a Brute Force Algorithm with Example?

A: Brute force algorithm consists of checking all the positions in the text and whether an occurrence of the pattern starts there or not. After each attempt, it shifts the pattern by exactly one position to the right. Here’s a clear example.

Q: Can AES be Cracked?

A: Theoretically yes, though it would take more than a billion years. AES has never been cracked yet and is it safe to say it will protect you against any brute force attacks.

Q: How Can I Be Sure My Password Is Secure Enough?

A: A secure password is long, and has letters, numbers, and symbols. Avoid dictionary words and common phrases. Generally, a password which is easy for you to remember will be easy for others to hack. 

Q: Tell Me Again – in Simple Words – What Is Brute Force?

A: Discovering a password without previously knowing it. You use a computer to make calculations and try every possible combination until the password is revealed. Depending on security measures, the process may take from seconds to thousands of years. 

Related Posts

Leave a Comment