Everything You Need to Know About Brute-Force Attacks

  • 134
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    134
    Shares

Brute-Force is a fairly easy attack to understand and it is very hard to protect against. Encryption is nothing but math and since computers are very good at math, they can crack easily. Brute Forcing means trying every possible combination to find the correct value that fits in.

Brute-force attacks can be used against all the forms of encryption and the degree of success varies from type to type. These attacks are getting better and more effective each passing day as newer and faster computer hardware is released into the market.

Basics

Brute-force attacks are very simple to understand. Lets say you have an  encrypted file — and you used an  encryption key that unlocks it. To decrypt it, I can begin with trying every single possible password and see if that results in a decrypted file.

This can be done  automatically with a computer program, so that the speed at which one can brute-force encryption increases exponentially as the available computer hardware is getting faster and faster which is capable of doing more calculations per second. The brute-force attack generally  starts with a one-digit passwords then moves to  two-digit passwords and so on, trying all possible combinations until it finds the correct one.

A “dictionary attack” is very similar attack and tries words in a dictionary or a list of common passwords instead of all possible passwords. This is very effective, as many people use such common and weak passwords.

Brute-Force Limits

There is a difference between offline and online brute-force attacks. For example, if you want to brute-force your way into a Gmail account, you will begin to try every single possible password, but Google will quickly cut it off. Services that provide access to such accounts will have limit on how many attempts can be made  ban IP addresses that attempt to log in too many times. This is why an attack against an online service would not work well as we are left with a very few attempts before the attack would is halted.

For example, after a fixed number of failed login attempts, Gmail will give you a CATPCHA image to verify you aren’t a computer automatically trying passwords. They’ll likely stop your login attempts completely if you managed to continue for long enough. Of course now we have methods to even bypass the CAPTCHA also.

gmail-captcha

Hashing

Many of the latest and strong hashing algorithms posses the ability to slow down our brute-force attacks. Basically, hashing algorithms do additional math on a the password before they store the value obtained from the password on disk. If an efficient hashing algorithm is used, it will take thousands of times as much mathematical work to try and crack each password and thus dramatically slows down the brute-force attack. However, more the work required, more the work a server or other computer has to do each time as the user logs in with the password. Software must balance resilience against brute-force attacks with resource usage.

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply