- Computer Security Made Simple Series
- Brute Force Attacks: What are They, and How Do I Prevent Them?
Brute Force Attacks
What are they?
They are essentially what they sound like. The attacker continually tries different combinations of username and/or passwords to get into your device (device being a computer, phone, website, router, or anything else that you log into). In most cases, they’ll use automated software to do the attack. Some versions of the automated software will have features like trying a limited number of passwords in a certain timeframe (to avoid being locked out).
The attack is made easier if you use “dictionary words” in your password. The attacker will generate word lists and use them as the basis of their attack. The idea behind the word list is that if you use dictionary words in your password, then it cuts down on the amount of processing they have to do to crack it.
Typically the attacker will write a script, which they will distribute amongst a number of devices (called bots or zombies), and the bots will all try to “attack” the same device. The hopes are that the more devices trying, the quicker they will crack the password. The bots will keep trying until they either crack the password or run out of password combinations to try.
What can the attacker do if they crack your password?
In the case of websites, they can redirect visitors to malicious sites, put up ads that generate money for them, deface your site, upload malware that visitors will be infected with, or even remove your site. They can also use your site to run other attacks (turn it into a bot) if they have access to the control panels behind the scenes.
In the case of computers, routers, phones, or other devices, they can install malware that steals your information or turns your device into a bot. They can use your device to infect other devices on any network you’re connected to. Again, they can redirect your traffic to malicious sites or sites that generate revenue for them. Think of it this way. What can you do with your device? If you can do it, so can they.
If the attacker cracks your wi-fi password, they can conduct illegal activities through your network–and you’re the person held responsible. Until you can prove that your devices weren’t involved, you will be investigated, charged and/or sued for damages, and possibly convicted of crimes that devastate your life.
What can I do to mitigate this attack?
The first and foremost thing you can do is change your passwords. Make them stronger and harder to guess. Let me give you some examples:
A single character password using just lower-case characters gives 26 possible combinations. So, a 2-character password gives 676 combinations, a 5-character password gives 11,881,376 combinations (which sounds like a lot until you realize that a low-end computer can try 2 billion different combinations per second.). The formula that determines how many combinations is
Different combinations = number of possible characters password length
(where number of possible characters is for a single-character password).
Add uppercase characters to the mix, and you increase the combinations exponentially. But remember that the computer can try 2-billion combinations in one second. So you want to add numbers to the mix, along with special characters (if allowed). Look at it like this: A password with both lowercase and uppercase letters, numbers (0-9), and special characters, gives you 52 alphabetic + 10 numeric + 32 special characters for a total of 94 possible-characters. So a 9-character password consisting of all of these would take about 9.1 years to crack (for a single computer). A 12-character password using all of these would take around 7.5 million years for a single computer to crack.
Using dictionary words though reduces this number. The examples above were for purely random passwords. If you create a 13-character password like 12hitheresir? they really only have to figure out 12?. You handed them the rest of it. So you’re making them figure out 830,584 possible combinations (which they can do in microseconds, remember?).
The second thing you can do is change your passwords regularly. This is why most companies make you change your password every 90 days or so (the longest I’ve seen is 6-months). Remember the combination that takes 9 years to crack? Well if the password gets changed every 90 days, the attacker has to devote more resources to cracking it. Same with the password that takes 7.5 million years. If there’s a limited amount of time before it changes, then that requires more resources to crack it. But, if you don’t change your password for 12 years, you basically hand it to them. After all, if it takes 9 years for one computer to crack, and you don’t change it in that timeframe, they don’t have to dedicate anything more than one computer to it, Right?
The idea behind these first two mitigation factors is to make the attacker use more resources to try and beat you–thus making it somewhat cost prohibitive for them.
The third mitigation factor (and one you should do anyhow) is to rename and/or remove any administrator accounts. Typically they will be called Admin, admin, or Administrator (or webmaster in the case of sites). Either rename them to something nondescript or remove them completely. And don’t use your Administrator account for your day-to-day activities. It goes back to the concept of Least Usable Privilege. If you aren’t installing a program, you shouldn’t be using an account that can.
Yes, it’s a pain in the butt. But restoring your computer from a backup, or reformatting your computer and trying to find all of your documents, pictures, music, and applications again (after an attack) is a considerably bigger pain in the butt. Plus you can’t be sure that your backup wasn’t compromised. And in a worst case scenario, having to deal with criminal or civil repercussions because of an attack is also a considerably bigger pain in the butt.
One final mitigation factor, in the case of physical devices, is to limit who has access to them. If it’s a computer, phone, or router, and you allow someone physical access, they can copy certain portions of it. Then they can crack the passwords at their leisure, and come back with the correct information to do their deeds later. So don’t leave it laying around, don’t give it to strangers and step away from them, and don’t let just anyone “tinker” with it.
NOW, THIS IS NOT THE SAME AS TAKING IT TO A REPAIR SHOP!!!!! I need to emphasize this because if they are professionals, they abide by a standard. So they won’t access anything that isn’t required to fix the computer. And any data they do copy will be destroyed when they are finished working on your device. You’ll know the reputable ones, both by word-of-mouth and just by how they look/act. But it doesn’t hurt to dig into them a little before you take your computer in.
Sources: The information for this post was gathered from the following sources:
https://www.password-depot.com/know-how/brute-force-attacks.htm (the formula for the password combinations and how long it would take to crack each password).
https://www.wordfence.com/learn/brute-force-attacks/?utm_source=list&utm_medium=email&utm_campaign=061417 (General information about Brute Force Attacks)