What Is a Brute Force Attack?
In the world of Cyber crimes, brute force attack is an activity which involves repetitive successive attempts of trying various password combinations to break into any website. This attempt is carried out vigorously by the hackers. They also make use of bots they have installed maliciously in other computers to boost the computing power required to run such type of attacks.
A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected). It tries various combinations of usernames and passwords again and again until it gets in. This repetitive action is like an army attacking a fort.
How Are Brute Force Attack Used?
Brute force attacks are usually used to obtain personal information. Such as passwords, passphrases, usernames and Personal Identification Numbers (PINS), and use a script, hacking application, or similar process to carry out a string of continuous attempts to get the information required.
Goals of a brute force attack include:
- Theft of personal information such as passwords, passphrases and other information used to access online accounts and network resources
- Harvesting credentials to sell to third parties
- Posing as users to send phishing links or spread fake content
- Defacement of websites and other information in the public domain that could damage the reputation of the organization
- Redirecting domains to sites holding malicious content
They can also be used for positive gains. Many IT specialists use this method of attack to test network security and more specifically, the strength of the encryption used on the network.
Brute Force Attacks Tools
An attacker is usually aided by automated software that uses computing to systematically check password combinations until the correct one is identified. Using a brute force password cracking application is required in order to go through numerous combinations and possibilities that can be difficult or impossible to calculate by a human alone. Popular examples of brute force attack tools include:
Types of Brute Force Attacks
The most basic brute force attack is a dictionary attack. In this kind of attack the attacker works through a dictionary of possible passwords and tries them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These attacks tend to be somewhat outdated, given newer and more effective techniques.
Recent computers manufactured within the last 10ish years can brute force crack an 8 character alphanumeric password – capitals and lowercase letters, numbers, and special characters – in about two hours. Computers are so fast that they can brute force decrypt a weak encryption hash in mere months. These kinds of brute force attacks are known as an exhaustive key search, where the computer tries every possible combination of every possible character to find the right combination.
Credential recycling is another type of brute force attack that reuses usernames and passwords from other data breaches to try to break into other systems.
The reverse brute-force attack uses a common password like “password,” and subsequently tries to brute force a username to go with that password. Since password is one of the most common password in 2017, this technique is more successful than you might think.
Motives Behind Brute Force Attacks
Brute force attacks occur in the early stages of the cyber kill chain, typically during the reconnaissance and infiltration stages. Attackers need access or points of entry into their targets. And brute force techniques are a “set it and forget it” method of gaining that access. Once they have entry into the network, attackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.
Attackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but are not linked to other pages. A brute force attack tests different addresses to see if they return a valid webpage, and will seek out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration – like the vulnerability used to infiltrate Equifax, or a webpage that contains a list of username and passwords exposed to the world.
There is little finesse involved in a brute force attack. So attackers can automate several attacks to run in parallel to expand their options of finding a positive (for them) result.
How to Defeat against This Attack?
Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything usable. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible. But actually that is not the only defense.
Here are some precautionary measures for you to take:
- Password Length.
- Password Complexity.
- Limit Login Attempts.
- Modifying .htaccess file.
- Using Captcha.
- Two Factor Authentication.
The first step towards Brute Force Attack prevention should be longer password length. Nowadays many websites and platforms enforce their users to create a password of certain length (8 – 16 characters).
Another important thing is to create a complex password. It is not recommended to create passwords like ‘ilovemycountry’ or ‘password123456’; instead your password should consist of UPPERCASE and lowercase alphabets and should also have numbers and special characters. Complexity of the password delays the cracking process.
Limit Login Attempts:
Simple yet very powerful action is to limit the login attempts on your WordPress admin or any other admin panel for that matter. For example if your website receives five failed login attempts; it should block that IP for a certain period of time to stop further attempts being made.
Modifying .htaccess file:
Adding a few rules in .htaccess file can further harden the security of your WordPress site. Objective is to allow access to wp-admin to only specific IP addresses listed in .htaccess file.
To do so, open your .htaccess file and modify it like:
- <Files /wp-login>
- order deny,allow
- allow from IP1
- allow from IP2
- deny from all
IP1 and IP2 will be the IPs you allowed access to.
Captchas are now commonly used in websites. They prevent bots from executing automated scripts mainly used in Brute Force attack. Installing captcha in your WordPress site is fairly easy.
Install Google invisible reCaptcha plugin and link in to your Google account. Now go back to plugin setting page and define the places where you would like the user to get captcha first before performing the actual task. This plugin also supports WooCommerce, BuddyPress and custom forms.
Two Factor Authentication:
Two Factor Authentication is an extra line of defence which can defend your account from Brute Force Attack. Chances of successfully executing Brute Force attack on 2FA protected sites are very thin. There are various ways to implement 2FA in your WordPress site.
Cloudflare is a renowned service for WordPress that usually deals with CDN and caching. It also offers a protective shield against Brute Force Attacks. Through Cloudflare settings, user can set rules for accessing login pages and set Browser Integrity Check.
Other best practices are:
- Unique and strong password for each account.
- Frequent password change.
- Avoid sharing credentials through insecure channels.
Am I safe on Cloudways?
Yes. At Cloudways, we stay on our toes when it comes to server security. Our security system is capable of identifying brute force attacks and banning IPs being used in such attacks. Keeping servers managed on our platform is one of our main priorities.
During the past few months, we have patched servers for all the discovered security shortfalls, including popular ones like Heartbleed and GHOST.
Therefore, we are always at work to protect our Cloudways Platform and the servers hosted on it.
Actually it is better to detect an attack in progress and actively stop the attack than it is to hope your passwords are un-crackable. Once you detect and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.