In a brute force attack, hackers attempt to guess passwords or other credentials to gain access to endpoints and/or user accounts. The attackers try any combination of passwords (trial and error) to get the correct information for a particular user account. Hacking a password can take from seconds to virtually forever, depending on the length and complexity of the password. Depending on the technological structure and therefore the security level of the respective access technology of the portal, application or device, as well as the strength and complexity of the passwords used, password access can practically never be cracked. This is because it is up to the platform operator to decide how many combinations an attacker can test per user in a given period of time (keyword: lock-out functionality).
In addition, the infrastructure resources available to the attacker play a second critical role in the success of an attack, as computing power determines the number of operations (or access attempts) per unit of time. Technological progress is on the side of the attacker. An attacker who today needs 4 hours to crack an 8-character password, including numbers and special characters, will probably only need 15 minutes in four years.
How does a hacker carry out a brute force attack?
First, the attacker chooses a target. Basically, there are two types of attackers. On the one hand, there is the contract attacker, who deliberately tries to find a vulnerability in a specific website, application or database, even at great expense and effort. Brute force attacks are one of the preferred methods of such hackers.
On the other hand, there's the opportunistic hacker, who doesn't care what system he gains access to. This allows them to look at different targets and decide whether an attack is worth the effort. They will often prefer poorly protected databases or applications. With simple tests, they can quickly get a first impression of the security standard of an application, e.g. the procedures used, the externally visible code used, the functionality and response of a web site, the presence of certain security standards (e.g. lockout functionality, password strength check, allowing only unbreakable passwords, response texts for access, etc.).
Once the attacker has selected his target, they systematically attempt to gain access using linearly generated credentials. To this end, they use a username (usually email) that they explicitly want to access and the generated passwords, which they test one at a time in the hope of finding working access combinations.
Depending on what information the hacker has learned about vulnerabilities from his preliminary tests, they use these data points to best prepare for the subsequent attacks. For example, it is very helpful to know what requirements the system places on passwords, or to what extent the system allows the hacker to systematically test different passwords.
In addition to brute force attacks, there are other very popular attack methods used by hackers, such as dictionary attacks, password spraying, phishing, man-in-the-middle attacks, keyloggers, or credential stuffing, which we will discuss in more detail in other blog posts.
Probability of success of a brute force attack
Brute force attacks are a relatively old attack method that is still very popular among hackers because it has the highest probability of success of all attack methods but can take a very long time – up to infinity, that is. In its purest form, a brute force attack involves trying every combination of characters and numbers in a password, one at a time. If there are no access restrictions on the provider side, such as a lockout feature, it is technically only a matter of time before an attack is successful. To have a realistic chance of finding a critical mass of username/password combinations, hackers often test millions or billions of possible passwords. To do this, they regularly use tools or their own scripts that help them to automatically perform as many operations per unit of time as possible. However, depending on the complexity and length of the password, it can take days, weeks, months, or even millennia for the attacker to achieve their goal.
Therefore, from a hacker's point of view, it often makes sense to accelerate this systematic trial-and-error process with measures that increase the chances of success, or to combine brute force with other methods. Basically, there are two simple methods. The first method uses lists of usernames and passwords available on the Dark Net. This method usually helps to speed up the trial-and-error process when searching for many compromised accounts. The second method, used alone or in addition to the Dark Net lists, is the so-called dictionary method. In addition, other automated rules such as adding numbers, special characters and digits can be used and tested in a complementary manner.
While the brute force method is at least theoretically successful at some point, testing compromised passwords already available on the darknet, as well as words in the dictionary, can only be successful if users are using passwords that do NOT meet current security standards.