Hackers always have a goal–sometimes reaching that goal is as simple as a phishing attack or exploiting a software vulnerability, but that isn’t always the case. When a hacker’s objective lies beyond their reach thanks to good cybersecurity practices such as password rules and encryption, they might turn to another method: Brute force.

If you hit a locked box enough times, it will pop open, and the same (theoretically) goes for breaking into a computer system. By trying every possible password combination, or using a dictionary of common passwords, a hacker can gain access to an organization’s most valuable secrets.

It isn’t just web applications that are at risk from brute force attacks–encrypted databases, password-protected documents, and other secure data can be stolen in a brute force attack, whether it’s available online or downloaded to an attacker’s computer.

It’s essential that cybersecurity professionals know the risks associated with brute force attacks. Read on to find out what you need to know about this classic form of cybersecurity attack, how safe you may (or may not) be, and how to defend your systems against brute force attacks.

This article is also available as a download, Brute force and dictionary attacks: A cheat sheet (free PDF).

SEE: Encryption policy (TechRepublic Premium)

What is a brute force attack?

Brute force attacks involves repeated login attempts using every possible letter, number, and character combination to guess a password.

An attacker using brute force is typically trying to guess one of three things: A user or an administrator password, a password hash key, or an encryption key. Guessing a short password can be relatively simple, but that isn’t necessarily the case for longer password or encryption keys–the difficulty of brute force attacks grows exponentially the longer the password or key is.

The most basic form of brute force attack is an exhaustive key search, which is exactly what it sounds like: Trying every single possible password solution (i.e., lowercase letters, capital letters, numbers, and special characters) character by character until a solution is found.

Other brute force methods attempt to narrow the field of possible passwords by using a dictionary of terms (which is covered in more detail below), a rainbow table of precomputed password hashes, or rules based on usernames or other characteristics known about the account being targeted.

SEE: Password management policy (TechRepublic Premium)

Whichever method an attacker chooses, the processing power needed to perform a brute force attack can be intense, especially when faced with modern encryption techniques. To solve that problem attackers have turned to specialized hardware that looks a lot like a cryptocurrency mining rig.

Brute-force attacks and cryptocurrency mining are essentially the same thing: Brute force computing power is used to manually crack encryption. That means the hardware needed to perform either with any degree of efficiency is the same–graphics processing units (GPUs) and application-specific integrated circuits (ASICs) designed for cryptocurrency use.

GPUs and cryptocurrency ASICs are designed to handle large loads of repetitive tasks, which is exactly what a brute force attacker needs. That doesn’t mean every hacker who is attempting a brute force attack uses one, but those who are serious about stealing your data definitely do.

Brute force attacks would be impossible for an individual to try manually, which is why a number of popular programs have appeared over the years that, while having legitimate purposes, can easily be turned to illicit use.

What is a dictionary attack?

Exhaustive key searches are the solution to cracking any kind of cryptography, but they can take a very long time. When an attacker has a high degree of confidence that the password they’re trying to crack consists of certain words, phrases, or number and letter combinations, it can be much quicker to compile a dictionary of possible combinations and use that instead.

SEE: All of TechRepublic’s cheat sheets and smart person’s guides

Dictionary attacks can use an actual dictionary, but it’s more likely for them to contain a shorter list of words that an attacker thinks are likely to be successful. Commonly used password lists, popular names, pet names, movie or television characters, and other words can all be part of a dictionary list.

That’s not to say there isn’t an element of randomness to dictionary attacks–they typically account for common passwords that append a number or special character on the end of a word, or substitute a letter for a number, in order to guess any number of variations on a word or phrase.

Additional resources

Are brute force attacks only an online problem?

When thinking of a brute force or a dictionary attack, one may jump to the conclusion that it’s a problem exclusive to web applications or other secure online locations, but that’s hardly the case. Offline brute force attacks are very real and may even be a bigger problem than those targeting internet assets. It’s important to specify what’s different between online and offline brute force attacks.

SEE: More most-see cybersecurity coverage (TechRepublic Flipboard magazine)

Online brute force attacks are performed in real time with an attacker directly connected to the system they’re attacking. The cybersecurity attacks are restricted by elements such as internet bandwidth, security measures, and possible discovery by the victim.

Offline brute force attacks have no connection to the system being targeted, which is a large part of what makes them so dangerous. If an attacker is able to steal a password hash, encryption key, Security Account Manager (SAM) file (Windows’ method of storing passwords), /etc/shadow/ file (the Linux equivalent of SAM), encrypted database, password protected file, or other secure document, that person has an unlimited amount of time to crack it without detection.

Offline brute force attacks are only limited by the computing power available to the attacker; with the proper setup, secured files, encryption keys, or passwords could be exposed in little time.

Is strong encryption effective against brute force attacks?

Security is often rated based on how long it would take a theoretical attacker to break it using brute force methods. Encryption complexity vs. time to break it grows exponentially because every new character adds 95 possible letters, numbers, and special characters to cycle through to find the right one.

Cracking modern 256-bit encryption requires taking a lot of things into account: The complexity of the key or password, computing power, and even the laws of physics have to be considered when estimating the time it will take to crack a password or encryption key.

It’s easy to find calculations that take all of these variables into account–most of which arrive at the conclusion that it would take more time than the age of the universe to break even 128-bit encryption. Double that to 256 bit, and you have what theoretically is an unbreakable code.

SEE: Quick glossary: Encryption (TechRepublic Premium)

Passwords are easier to break because assumptions can be made about what they contain, thereby limiting the number of tries it takes to brute force crack them. Encrypted passwords stored as hashes are still easy to break, as demonstrated in this blog post by cybersecurity professional Daniel Sewell.

Using Hashcat, Sewell was able to break an unsalted SHA1 hashed password in less than one second, and a PBKDF2-SHA256 salted hash in eight and a half minutes.

So is strong encryption safe against brute force attacks? Yes and no–the weakness is in how passwords are stored. No attacker is going to try to brute force a 256-bit encrypted document–they’re going to try to figure out what password will get them access to the unencrypted version.

How can IT professionals protect against brute force and dictionary attacks?

Brute force attacks generally focus on the weak point of encryption: Passwords. As Sewell showed in his blog post, even a well-hashed password will only slow a skilled attacker down if they’re able to steal a hash table.

In the case of online brute force attacks, the solutions are relatively simple: Put limits in place that prevent multiple login attempts. This can be done in several ways:

  • Lock an account out after a certain number of failed attempts;
  • Force an account that fails to log in multiple times to use a method like captcha or other secondary verification;
  • Use two-factor authentication so that more than a password is required to log in; and.
  • Ban multiple login attempts from a single IP address.

Offline brute force attack prevention is a bit trickier: If an attacker gains access to password hash files, it’s only a matter of time before they’re walking in the front door.

So how can you prevent an offline brute force attack from succeeding? There are several enhancements you can make to your security to protect against one:

  • Longer passwords are better–special characters don’t matter anymore since they can be guessed with ease;
  • Screen passwords to prevent the use of common words, phrases, or combinations thereof;
  • Make sure your hashes are truly secure–if you’re unsure where to start, check out this guide to salted password hashing; and
  • Never store passwords in plain text–if an attacker gets access to that, they don’t even need to bother brute forcing it.

Additional resources

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays