If you use online services often, you probably notice that most of them now require complex passwords or multi-factor authentication to sign up. This requirement is rising among service providers, who need to minimize the risk of successful brute-force attacks on their users’ passwords. If you are unfamiliar with brute force, worry not, the nature of these attacks and the strategies to mitigate them will be the subject of this article.
Have you ever forgotten the combination of your travel trolley? If yes, y must have realized that it would be sufficient to try all the combinations of numbers on the three gears to unlock it in a couple of dozen minutes. Time better spent on something else, but definitely worth investing, considering the value of your luggage contents. This is an example of a rudimentary, but no less effective, brute force attack.
There is no univocal and specific definition for brute-force attacks, as this attack strategy has been created not by hackers, but by mathematicians; for this reason, the term brute-force has been for a long time a term used in a variety of contexts. When we refer to a “brute-force” methodology in mathematics or computer science, we describe a simple methodology: attempting all possible solutions applicable to a problem until one of them turns out to be the correct one.
In the field of cyber security, “brute force” consists, therefore, in trying to penetrate an environment by systematically trying all possible access strategies until one of them proves to be effective. A more practical example, which happens to be also the case most referred to when speaking of brute force, is a hacker attempting to decrypt data or passwords. The brute-force attack will be carried out by trying to find a decryption key or password, using all possible combinations of letters, numbers, and other characters that could be included in it.
From a mathematical point of view, the success of this attack is certain, but from a practical point of view, who could attempt hundreds of thousands of combinations in a realistic time window without giving up?
To successfully carry out the attack, hackers rely on two factors:
- Dedicated Infrastructure: specialized software and powerful computers. These tools allow them to attempt hundreds (even thousands) of different keys per second, reducing both the time and effort necessary to reach success.
- Intel: gathering information about the person from whom you are trying to steal a key greatly helps reduce the number of combinations attempted. It might not seem too relevant, but coming back to the luggage example, imagine being sure that the combination on your trolley does not contain a 9. It would take you at least a fifth less of the time to find the right combination, as, out of 1’000 possible combinations, more than 200 include 9. Similarly, an individual trying to guess a password, knowing that this does not include (or excludes) specific characters or words, would take considerably less time and resources to succeed in the effort.
In the next section, we will see in a little more detail how brute force is applied and how to defend yourself.
How are brute-force attacks carried out?
An average hacker can use software such as Ripper or Hashcat, which easily allows you to start a brute force operation, provided you are equipped with a computer that has sufficiently performing processors. Due to their computing power (considering energy cost), GPUs are, for example, excellent processors for this type of operation. They are easily purchasable without major investments, not to mention the fact that they can easily be resold. This should help you understand how, theoretically, this type of attack is within the average man’s reach. But how much time does a brute-force attack really take?
Estimates are continuously made on the subject since the constant improvement of processors increases the effectiveness of this technique. Nowadays (2022) it is estimated that any attacker can derive an 8-character password, which contains only uppercase and lowercase letters, in just 2 minutes. If the same password contains numbers symbols and letters, it will take about 40 minutes. A password containing only upper and lower case but 12 characters would take two days instead. What if it also contains numbers and special characters? About 3000 years old. This is why, as debated at the beginning of this article, service providers request, sometimes demand, you to come up with a long and complex password.
How to protect yourself from brute force attacks
It is therefore evident that the complexity and length of passwords have a significant impact on the probability that someone will be able to access a system. It is certainly no coincidence that encryption standards, such as AES, are now employing longer and more complex keys to decrypt than before. At the same time though, a human being’s ability to invent and remember strong passwords has not increased over the last decades, correct?
Not exactly. Thanks to password managers and the automation of some controls (for example the obligation to update the password after a certain period of time), today it is easy to maintain the habit of creating passwords by observing a few key principles:
- Password rotation and non-identity: The passwords you own are different for each platform (or at least the most important ones) and are periodically updated. Many services and systems also allow you to set up periodic notifications that remind you of the password “expiration date” (without taking drastic actions such as blocking your account).
- Complexity: the passwords you use must include uppercase and lowercase and special characters; there are software that generate passwords (not necessarily password managers) that are as long and complex as they are easy to remember;
- Ease of recovery and multi-factor: Multi-factor authentication, new login notifications, and credential recovery tools ensure that if you forget a strong password or if your credentials ever fall into someone’s hands, you stay in control of your access.
Since brute-force has been a strategy used since the dawn of computer crime, and since it does not require any type of specific expertise to be used, various deterrents have been developed and continuously updated, to effectively counter this type of attack. The ease of use of these deterrents implies that brute force, although theoretically effective, is easily daunted by an internet community with good computer-hygiene habits.