A Brute Force attack is a method used by hackers to gain unauthorized access to a system, or account, by systematically trying all possible combinations of username and passwords until the correct one is found.
The term “Brute Force” implies that the attack relies on sheer computing power and persistence rather than exploiting vulnerabilities or using more sophisticated techniques.
Brute Force Techniques
Three popular Brute Force techniques include:
| Type | Description |
|---|---|
| Password Guessing | The attacker tries to gain unauthorized access to a user’s account by systematically trying all possible combinations of passwords until the correct one is found. This is often done by starting with simple and commonly used passwords and then moving on to more complex combinations. |
| Dictionary Attacks | Instead of trying every possible combination, attackers often use a predefined list of commonly used passwords, known as a dictionary. This method, known as a dictionary attack, is more efficient than trying every possible combination, as it focuses on likely passwords based on common patterns. |
| Credential Stuffing | In some cases, attackers may obtain username-password pairs from other data breaches and use this information to perform a Brute Force attack. Since people often reuse passwords across multiple accounts, this method, called credential stuffing, can be quite effective. |
Attackers typically use automated tools that can rapidly and continuously submit login requests to the website’s login page. These tools are programmed to input different usernames and passwords, iterating through a vast number of possibilities in a short amount of time.
Brute Force Mitigation Techniques
Here are some of the more popular mitigation techniques employed by website owners:
- Multi Factor Authenitication
- Whitelisting Access Points
- Rate Limiting
- Captcha Challenges
| Type | Description |
|---|---|
| Multi-Factor Authentication (MFA) | Security control that requires users to provide two or more different factors or types of authentication to verify their identity. |
| Deny-All | Whitelist Environments | Security control that limits access to “known goods” only, denying all other requests. |
| Rate Limiting | Security control that restricts the number of login attempts within a specific time period. |
| Captcha Challenges | Security mechanism designed to distinguish between automated computer programs (bots) and human users. |