Over 700 million LinkedIn records have been listed for sale on a popular hacker forum. The records include full names, gender, email addresses, phone numbers, and industry information.
Fortunately, credit card data, private messages, and other sensitive information were not included in the leak.
Unfortunately, hackers can now use the stolen email addresses that were leaked to access users’ accounts using various combinations of common passwords. This is a form of a brute force attack.
A brute force attack is a hacking technique that attempts to guess possible combinations of a specific password until the correct one is found.
In this blog, we are going to discuss how brute force attacks work, the different types of brute force attacks, and how to protect yourself and your business from them.
How Do Brute Force Attacks Work?
A brute force attack uses trial-and-error to guess passwords. Hackers work through all possible combinations in hopes of guessing correctly. This can take hours, days, months, or even years depending on the level of security a computer has.
Hackers use scripts or bots that target a website or login page. The scripts will then cycle through every possible key or password. Once the hacker has gained access to the login information, they will usually take the opportunity to steal sensitive data or valuables.
Cybercriminals will also use high-powered graphics cards (GPUs) to speed up the number of guesses per second. The GPU accelerates programs running on the CPU by offloading some of the computer’s most intense and time-consuming functions.
A password recovery company was able to increase password guesses of one GPU from 3.4 million guesses per second to nearly 700 million guesses per second!
What Are the Different Types of Brute Force Attacks?
There are many types of brute force attacks, but we will focus on three of them: dictionary, reverse brute force, and credential stuffing.
Dictionary attacks are one of the most common types of brute force attacks. Simply put, these attacks use a list of words in a dictionary to crack passwords. Some dictionary attacks may use a list of commonly used passwords. Believe it or not, millions of people still use ‘password’ as their password. A dictionary attack could crack that in seconds!
Reverse brute force attacks do not target a specific login. Instead, these attacks will start with a common password. There is a massive number of leaked passwords available online from existing data breaches, so hackers will start there. Then, the hackers will search a database of usernames that use that password until there is a match.
If a hacker can figure out the username and password combination of a website or application, they will try to use the same information for other logins. This is known as credential stuffing. A lot of people like to use the same passwords to access other websites because it is simpler. This is a goldmine for cybercriminals.
How Can You Protect Yourself from Brute Force Attacks?
The most effective way to keep yourself and your team safe from a brute force attack are to always use a strong username and password. Login credentials like “admin” and “password1234” will not cut it. Luckily, most applications and websites will prevent users from creating passwords this simple. Generally, secure passwords are around 12-16 characters long and do not use common words or phrases.
If you are uncertain of how secure to make your password, there are password generators that do the work for you. These random password generators will give you the option to select the length, level of encryption, and more. If keeping track of passwords is becoming too much of a burden for you or your staff, there are password managers that will store all your passwords. Most, if not all these managers will come with password-generating software.
Your staff should be comfortable with using multi-factor authentication in addition to using strong passwords. A strong password may not be enough. This is where multi-factor authentication comes in. In addition to a strong password, a staff member could use a fingerprint, a PIN code, or a physical token. So even if a hacker were to gain access to a password, they cannot log in with that second step.
Your IT team should audit the number of unused accounts and logins, especially the accounts with high-level permissions. Unmaintained accounts are breeding grounds for hackers, and they should be deleted as soon as possible.
It is also recommended to set up a rule that will lock down a computer after too many failed login attempts. If a hacker keeps retrying passwords to log in via a brute force attack, a lockdown rule will prevent them from pursuing it. Then, your IT team will be responsible for reopening the account and securing the password.
Brute force attacks are an old attack method, but they are still effective and very popular with cybercriminals. The success of these attacks just depends on the length and complexity of the usernames and passwords you use.
It is important that you and your staff stay away from commonly used passwords and change them often. Your IT team can implement a password reset policy; typically, every 90 days is good enough. It is highly recommended that you never reuse a password. If you can, have your staff switch up their usernames for every site as well.
If you have unused accounts, be sure to deactivate them. A lockdown policy will help prevent brute force attacks from replicating. You can use password managers to store and create secure passwords; also, many of these password managers include security checks. Password managers like Keeper and LastPass will audit your accounts and “rank” how secure your passwords are.