Computerhelp4all logo Articles AboutTopicsQuizzesComputer Questions & AnswersComputer Terms & DefinitionsActivitiesContact

Home > Articles > Computer Terms & Definitions > Cybersecurity > Threats To Systems, Data & Information

What Is A Brute-Force Attack?

What Is A Brute-Force Attack

Date First Published: 25th May 2023

Topic: Cybersecurity

Subtopic: Threats To Systems, Data & Information

Article Type: Computer Terms & Definitions

Difficulty: Medium

Difficulty Level: 7/10

Learn more about what a brute-force attack is in this article.

A brute-force attack is a type of cyberattack where the attacker repeatedly submits large numbers of passwords in the hope of discovering the correct password. Brute-force attacks do not attempt to decrypt any information but try as many combinations as possible until it cracks the password. Attackers usually perform brute-force attacks by manually guessing or using a program that automatically goes through a list of common passwords until it eventually discovers the correct password and they gain access to the account or network. This type of cyberattack uses excessive forceful attempts to force their way into an account or network, as suggested in the word.

Brute-force attacks are one of the most common ways that electronic accounts are compromised and are the reason why it is recommended to use complex passwords. The amount of time it will take a brute-force attack to correctly guess a password varies, depending on how strong the password is. A weak password will be correctly guessed in a few seconds, whilst a strong password may take hours, days, or even weeks to be correctly guessed.

Types Of Brute-Force Attacks

Below are six types of brute-force attacks:

  • Simple brute-force attack - In this type of brute-force attack, the attacker tries to manually guess a password without using any automated programs. They try to guess the password by inputting very simple and common passwords (e.g. 12345, qwerty), and any details they know about the victim, such as their first name, surname, the name of their pet, their date of birth, etc.
  • Dictionary attack - In this type of brute-force attack, the attacker uses a wordlist which goes through all common words and phrases and their variations against that password. Usually, all words in the dictionary are tested to discover the password. Attackers can also add numbers, letters, and special symbols when performing the dictionary attack.
  • Reverse brute-force attacks - In this type of brute-force attack, the attacker reverses the attack strategy by starting off with a common password or an already known password against multiple usernames to gain access to an account or network. Attackers often rely on lists of leaked passwords in previous data breaches, but don't know the username those passwords are for.
  • Hybrid brute-force attack - The most complex type of brute-force attack. In this type of brute-force attack, the attacker uses a combination of a dictionary and a simple brute-force attack. They will go through a list of common dictionary words and mix commonly used passwords and random characters with them.
  • Credential stuffing - This happens after a user account has been compromised and the attacker tries the username and password combination on other websites, particularly very high-traffic well-established sites, in the hope of correctly guessing it. Attackers often collect lists of stolen credentials that were exposed in previous data breaches. Credential stuffing is a reason why it is not recommended to reuse passwords across multiple accounts.
  • Password spraying - This involves an attacker trying a few commonly used passwords on a large number of accounts to avoid account lockouts that happen when entering the incorrect username and password combination a certain number of times.

How To Prevent Brute-Force Attacks?

Below are five steps you can take to prevent brute-force attacks:

  • Use strong passwords - The most obvious way to prevent a password from being discovered by a brute-force attack is to use strong passwords. The stronger the password, the longer it will take to correctly guess it by a brute-force attack. Using a weak password will make it much easier for the brute-force attack to succeed, whilst a strong password will take several weeks, months, or even years to crack. For more information on what makes a strong password, see this article.
  • Use two-factor authentication. Two-factor authentication adds an extra layer of security to electronic accounts. Although this won't prevent brute-force attacks, if a password was correctly guessed by a brute-force attack, the attacker wouldn't be able to access the account as it is very unlikely that they would be able to get past the second security layer, like the four to six-digit security code.
  • Limit failed login attempts. Limiting failed login attempts by locking users out after a certain number of failed attempts, usually three will prevent attackers from trying multiple passwords. This method may work by blocking the attacker's IP address or disabling the password and requiring a reset. The password reset email with the new password is sent to the user’s email address. However, attackers often use multiple systems to perform a single brute-force attack, similar to a DDoS attack. Requiring a password reset after a certain number of failed attempts will allow attackers to constantly cause inconvenience for users by making them reset their password every time they try to log into their account with the wrong password multiple times.
  • Use CAPTCHAs. Using CAPTCHAs can prevent web forms from being abused by automated bots and brute-force attacking tools, like John the Ripper. Since the CAPTCHA challenges can only be solved by humans, it will make it impossible for most bots and brute-force attacking tools to get past them, blocking their attacks.
  • Delete inactive accounts - Inactive accounts can be a security risk as they are often a target for brute-force attacks. They are often targeted because users are less likely to notice that their accounts have been compromised if they haven't signed in for a long time. Most providers, particularly email and file storage providers, will automatically delete accounts that remain inactive for an extended period of time.


Feedback

  • Is there anything that you disagree with on this page?
  • Are there any spelling, grammatical, or punctuation errors on this page?
  • Are there any broken links or design errors on this page?

If so, it is important that you tell me as soon as possible on this page.


Comments


What Is Computerhelp4all?

  • Computerhelp4all is a site with articles for everyone about the topic of computing, as suggested in the name '4all'.


Featured Articles

Featured Quizzes

Topics

Computer Networking Cybersecurity Computer Systems Web Design & Development

Subtopics

Network Services Network Setups Network Standards Network Hardware Network Identifiers Network Software Internet Protocols Internet Organisations Data Transmission Technologies Web Development Web Design Web Advertising Web Applications Web Organisations Web Technologies Web Services SEO Threats To Systems, Data & Information Threats To Individuals Security Mechanisms & Technologies Computer Hardware Computer Software Ethics & Sustainability Legislation & User Data Protection

Activities

Wordsearches Unscramble Words Knowledge Questions

Difficulty

Easy articles Medium articles Advanced articles

Follow Computerhelp4all


Facebook Logo
RSS Logo
YouTube Logo

Search



Related Articles





© 2022-2024 Computerhelp4all | Home | About | Privacy Policy | Cookie Policy | Terms of Use | Facebook | Twitter | RSS Feeds | YouTube