Back

Brute force attacks

Introduction
WeightlifterA brute force attack, as the name suggests, is a methodical, trial-and-error strategy for guessing account passwords and passphrases. This kind of attack involves a program systematically and automatically checking through all possibilities of a password until it potentially finds the correct one.

Examples
There are various excellent pieces of advice when choosing a password or passphrase :

    • Never use common passwords like 'password', 123456, 123ABC and so on.
    • Always make sure the password is longer than 8 characters.
    • Never use a real word, name or date of birth.
    • Always use a mixture of upper and lower case characters, numbers and special characters in the password.

A brute force attack might systematically check the password against:

    • the common passwords that people really shouldn't use
    • a database of common names
    • a database of words in a dictionary
    • famous dates then all dates
    • All shorter combinations of letters, numbers and characters.

Remember, computers are really fast and really good at doing the same job over and over again so brute force attacks are no particular problem to carry out in theory. However, they still can take a long time and if a good password is chosen and counter-measures used, they can stop brute force attacks being successful.

WallHow to combat brute force attacks

    • The most important thing is to ensure that the widely-available advice on selecting complex passwords is followed by users, and that software forces users to select good passwords.
    • A good way of selecting, using and managing complex passwords is to use a free password manager such as KeePass.
    • An account for a company should have some way of limiting the number of attempts to login before the user has to contact the company to reset the password, or delaying the time between attempts by e.g. 30 seconds. This will slow right down a brute force attack to unacceptable speeds.
    • Users should not only have a password to log in to an online account, but the company who provides the account should also send the user a one-off Personal Identity Number (PIN) to their mobile phone. Because this changes each time, even if the password is guessed using a brute force attack, they won't be able to gain access to the account because they won't have access to the ever-changing password.
    • Some banks, for example, provide an additional piece of hardware that looks a little bit like a calculator. This generates a different PIN each time the user wants to log in. The PIN must be entered as well as a password and other details to access the account.

Back