Brute Force Attacks: What They Are, How They Work, How to Prevent Them

PUBLISHED ON October 6, 2022
LAST UPDATED Oct 06, 2022

While brute force attacks aren’t new, they’re still one of the go-to methods for attackers to infiltrate corporate networks. A report showed a 671% increase in brute force attacks in just one week in June 2021, with 32.5 percent of organizations being targeted. 

Brute force attacks are common among cybercriminals because of their high success rate. Why are brute force attacks always successful? Bad actors can use computer programs to test an infinite number of possible username/password combinations until they find a match. With enough computing power (which has become much cheaper these days) and some patience, it’s easier than ever to crack passwords. 

With the right strategy, policy, and technology, you can stop these attacks from infiltrating your infrastructure. Let’s start with a comprehensive understanding of how brute force attacks work and then see what you can do to protect your organization. 

What Is a Brute Force Attack? 

Attackers use brute force attack methods to crack passwords, login credentials, and encryption keys. The trial-and-error approach is a deceptively simple yet reliable way to gain unauthorized access to employee accounts, which criminals can use to access an organization’s systems, networks, and sensitive data. 

Even though brute force attacks have been around for quite a while, the methods have evolved. Attackers have shifted from the good old “spray and pray” style to highly sophisticated techniques. They also strategically target users with extensive access privileges to attack partners, vendors, and other departments in the organization. 

Criminals may use brute force attacks for various objectives. These include stealing personal information, spreading malware, hijacking systems for malicious activities (e.g., DDoS attacks), ruining an organization’s reputation, rerouting website traffic to generate ad revenue, or placing spam ads on popular websites to make money. 

What is a brute force algorithm? 

A brute force algorithm isn’t confined to hacking. It’s a general problem-solving technique in computer science where brute-force or exhaustive search (also called generate and test) is employed to systematically enumerate all possibilities for a solution, then check if each candidate satisfies the problem’s statement. 

7 Types of Brute Force Attacks 

Attackers use different types of brute force attacks, depending on their motives, objectives, and target. Here are the most common types and how they work: 

1. Simple Brute Force Attacks 

This method exploits weak passwords or poor password hygiene, such as using the same username and password combo or personal identification number (PIN) codes for multiple accounts. A threat actor simply guesses the target’s login credentials manually without software. 

Attackers can also crack a victim’s password by researching the individual (e.g., on social media) because people tend to incorporate their spouses’ information, children’s names, favorite sports teams, important dates, etc., into their passwords. 

2. Dictionary Attacks 

Hackers test potential passwords against a target’s username, combining common words and phrases and substituting alphabets with special characters and numbers. This method also involves using passwords leaked in previous data breaches, which attackers can buy on the dark web.  

3. Hybrid Brute Force Attacks 

This method combines a dictionary attack with a simple brute force attack. To meet password requirements (e.g., include alphabets and numerics), people often add numbers to the end of a common word or phrase, with the number being a year that holds significance to them (e.g., birth or graduation year.) 

4. Reverse Brute Force Attacks 

Attackers start with a known password (e.g., obtained through a data breach) and search through a database of millions of usernames to find a match. They may also use a common weak password, like “password1234,” to attempt to find a match. 

5. Credential Stuffing 

Criminals use stolen usernames and passwords they bought off the dark web to attempt to log into various websites. Credential stuffing has a high success rate because many people use their login credentials repeatedly on everything from social media to bank accounts. 

6. Password Spraying 

This method often targets victims who use single sign-on (SSO) or cloud-based apps with federated authentication to circumvent lockout policies. Attackers start with a common password and apply it to different user accounts until they find a match to gain access to multiple platforms in one fell swoop. 

7. Botnets 

Criminals need a lot of computing power to carry out brute force attacks at scale. They hijack computers to execute the brute force algorithm to win the numbers game. This method allows attackers to save on costs while adding a layer of anonymity. 

The Most Common Brute Force Attack Tools 

Various brute force attack tools are available for different objectives, platforms, and protocols. Many can be downloaded for free on the open Internet, making it even more appealing for attackers to adopt this attack method. Here are some popular ones and how they work: 

  • Aircrack-ng: This WiFi password tool helps criminals crack various WiFi security protocols, including WEP, WPA, and WPA2-PSK. Criminals can also use it to attack WiFi 802.11 and any network interface card (NIC) with raw monitoring mode. 
  • THC Hydra: Attackers can use this password-cracking software against 30+ protocols for network authentication, including HTTPS, FTP, and Telnet. 
  • DaveGrohl: This tool can perform dictionary attacks against macOS X. Attackers can use the distributed mode to attack multiple machines with the same password hash. 
  • John the Ripper: Originally developed for Unix systems, this password-cracking tool is now available for over 15 platforms (e.g., Windows, OpenVMS, DOS.) It identifies hashing used in a password and runs it against encrypted password storage. 
  • Hashcat: Hackers can use this CPU-based password-cracking tool for Windows, macOS, and Linux to perform simple brute force, dictionary, and hybrid attacks.  
  • NL Brute: This brute force tool works against remote desktop protocol (RDP) to speed up the pace of scanning and cracking passwords. 
  • Rainbow Crack: This software generates pre-computed rainbow tables to reduce the time required to launch a successful brute force attack. 
  • Ophcrack: This open-source password-cracking tool for Windows uses rainbow tables and LM hashes to perform attacks.  

How to Prevent Brute Force Attacks 

Attackers can perform brute force attacks against a wide range of entry points into your systems, networks, applications, and API integrations — in short, anything that requires users to log in is fair game.  

As such, your defense against brute force attacks must cover all the bases with a combination of tried-and-true techniques and the latest technologies to counter immediate attacks while proactively preventing future incidents. Here’s how: 

1. Implement Strong Password Practices 

Your first line of defense is to make passwords as hard to crack as possible. Educate end users on password best practices and enforce a strict password policy. For example, employees shouldn’t use login credentials for their personal activities (e.g., social media) on company accounts or incorporate personal information, such as birthdays, into their passwords.  

Requiring users to change their passwords every two to three months is no longer recommended because most people would run out of ideas and start recycling passwords! Instead, the National Institute of Standards and Technology (NIST) advises changing passwords only when a potential breach may jeopardize your security. 

Also, discourage sharing accounts and passwords among team members. Implement a password management tool to help employees manage their passwords and allow them to share access to specific accounts on SaaS platforms when necessary. 

2. Use Multi-Factor Authentication (MFA) 

MFA or two-factor authentication (2FA) require users to supply a piece (or multiple pieces) of information besides the username/password combo to prove that they’re indeed who they say they are. For example, the system will send a unique code to the user’s mobile device after they enter their username and password to verify their identity. Other authentication methods include biometrics and tokens. 

MFA can prevent criminals from accessing your employees’ accounts even if they get ahold of the usernames and passwords. Many cloud-based platforms and applications already have this feature built-in, so all you need to do is to activate it for all user accounts. 

3. Set Login Limits and Improve Monitoring 

Limit the number of login attempts before locking an account. You can also monitor the IP addresses from which the login attempts originate to block suspicious activities. This method is essential in the age of remote work where employees may sign in from different locations. 

Also, implement endpoint monitoring tools to gain visibility into all the devices connected to your infrastructure. You can identify and respond to abnormal activities and suspicious login attempts in real-time before hackers can do further damage. 

4. Protect APIs and Web Applications 

The proliferation of cloud-based web applications means you must extend your protection beyond the four walls of your office. A cloud-native web application firewall (WAF) can protect your systems and networks against botnet, credential stuffing, or account takeover attacks. It can also prevent distributed denial-of-service (DDoS) attacks that could divert your resources from protecting other parts of your network. 

While APIs are essential for making various applications work together seamlessly, they also present more opportunities for hackers to infiltrate your infrastructure. Our container-based agentless deployment makes it a breeze to secure any API, web application, and tech stack to deliver the most up-to-date protection. 

5. Implement Bot Management Capabilities 

Organizations must implement automation technologies to block unwanted traffic as more criminals use bots to automate and scale brute force attacks. For example, ThreatX combines bot detection with application intensity analyses to identify credential stuffing, reputation attacks, etc., behind the scene, so you don’t have to introduce additional friction to the user experience (e.g., CAPTCHAS.) 

Blocking bots is just one part of the equation. Your tool should also provide detailed reporting so your security team can have visibility and context to deploy further mitigation tactics. The granular view helps analysts quickly investigate bot-based activities and make the right decisions to ensure that you’re using your resources to serve valid users. 

6. Use Analytics to Inform Security Decisions 

Detecting anomalies, such as changes in IP address and user agent, is key to identifying brute force attacks. You can paint a complete picture of your risk environment and take proactive, accurate, focused measures to protect your infrastructure by tracking and analyzing suspicious activities over time. 

The right analytics capabilities allow you to not only identify isolated events but also see how a brute force attack may be part of a larger, coordinated intrusion. For example, ThreatX uses entity tracking and risk attribution to help you connect the dots and application profiling to identify abnormal application behaviors that could indicate a successful brute force attack. 

Moreover, companies must stay one step ahead of threat actors who constantly develop and deploy new methods. Our entity fingerprinting capabilities enable you to identify attackers even if they change tactics. Meanwhile, our attacker-centric behavioral analytics considers context and intent to stop attacks even if the specific techniques haven’t been seen before. 

Multi-faceted, Proactive Protection Against Brute Force Attacks 

While the principles of brute force attacks haven’t changed, the methods are constantly evolving. Criminals are using more advanced techniques and employing them in tandem with other attacks to breach corporate networks.  

As such, your security tools must evolve and adapt to combat new hacking techniques and cover fast-growing attack surfaces brought about by the proliferation of APIs and web applications. 

ThreatX is built from the ground up to address modern-day cybersecurity needs, allowing you to automate application security and paint a comprehensive picture of your threat environment. You’ll have the data and visibility you need to take a proactive stance against intruders without straining your IT resources. 

Request a demo to see how we can help you stay ahead in the cybersecurity game. 


About the Author

Neil DuPaul

Neil DuPaul is the Sr. Director of Demand Generation at ThreatX and works with the team to execute impactful, customer-centric campaigns. He has 15+ years marketing a variety of cybersecurity solutions, executing a range of tactics and strategies across many business functions. A lifelong learner and gamer with a zest for physical activity.