A hacker sits in the shadows with his hoodie over his head, typing away. He’s trying to log into your account by typing his best guesses at your password.
Using common passwords and word combinations, he attempts to log in repeatedly.
Though hackers may not always dwell in the shadows, hackers do conduct brute force attacks to steal your valuable data.
What Is A Brute Force Attack?
A brute force attack is when a hacker uses trial-and-error to gain unauthorized access to your accounts or information. Hackers conduct this attack to guess items like login info or encryption keys.
As the name suggests, hackers use the method of “brute force” when they don’t actively have another vulnerable point to exploit. However, hackers typically do not just sit there typing every combination by hand.
To make their jobs easier, hackers harness computational power. This computer can test various combinations with minimal oversight by the hacker.
Types Of Brute Force Attacks
Simple Brute Force Attacks
A simple brute force attack involves a hacker manually guessing a user’s login credentials without the aid of software. Hackers typically use a brute force attack when the password is short, like a standard password combination or PIN code.
It seems unlikely that these forceful attempts would be successful, but you’d be surprised. Many people continue to use standard and guessable passwords like “1234,” “4321,” or “0000.”
Dictionary Attacks
A dictionary attack is when a hacker uses a dictionary headwork list to generate possible passwords. A program uses this list to systematically guess a password by trying many common words and their simple variations. A failed login just tells the program to try the next one on the list, and so on.
A dictionary attack can occur either online or offline. If the attack occurs offline, it can be more challenging to detect.
For example, an online attack involves the hacker connecting to a network to submit the guessed password. However, since many login sites have a limited number of attempts, hackers can be thwarted by the application’s account security.
For offline attacks, hackers can guess the password an infinite number of times. Numerous failed login attempts do not deter the hacker because the failed login attempts are unlikely to be flagged. The hacker must have the password storage file from the targeted system to conduct an offline dictionary attack.
A dictionary attack is considered a more efficient version of a brute force attack as passwords are more likely to be a simple word than a list of random numbers.
Hybrid Brute Force Attacks
Hybrid brute force attacks use the same method as a dictionary attack method but guess multiple words instead of a singular word.
A hybrid brute force attack is a step-up from a dictionary attack as more complicated passwords like “PinkGrenade” could also be cracked.
Reverse Brute Force Attacks
A reverse brute force attack is when a hacker uses a common password to log into multiple usernames. Instead of using numerous password possibilities to hack into one account, the hacker does the opposite.
Targeted brute force attacks have a greater success rate for hackers. Suppose the hacker gains access to an employee’s password but does not have the corresponding username. In that case, the hacker may conduct a reverse brute force attack to gain unauthorized access to the employee’s account.
Credential Stuffing
Credential stuffing is the cyber attack practice of collecting stolen account credentials and using software to login into the accounts. These stolen account credentials are often compromised in data breaches.
Credential stuffing has an estimated success rate of 2%. That may not sound like much, but one million stolen credentials could lead to hackers gaining access to 20,000 accounts.
Since many data breaches included millions of customers’ login information, credential stuffing is a serious cybersecurity threat.
How To Protect Yourself From Brute Force Attacks
The easiest way for individuals to protect themselves from brute force attacks is to follow essential password practices.
Use Long Passwords With Unique Characters
Your password should be at least 12 characters long. The longer the password is, the longer it takes for a hacker or a computer to successfully conduct a brute force attack on your account.
Hopefully, the amount of time it takes for your password to be cracked deters the hacker.
Meanwhile, a hacker could crack an 8-character password in less than an hour.
Unique characters include @, %, +, \, /, and !. It would be best if you randomly dispersed unique characters throughout your password.
Never Use Common Passwords
“123456” is the most common password in the world and is used by over 23 million people.
Attacks like dictionary attacks and hybrid brute force attacks rely on people using common passwords. Avoid making the hackers’ jobs easier than it needs to be!
Common passwords include:
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
- aa12345678
- Qwertyuiop
Recognize your password in this list? Immediately change your password before a hacker figures it out!
Never Reuse Passwords
67% of all Americans use the same password for different online accounts. Don’t give hackers a two-for-one deal when they access one of your accounts.
The point of your password is to secure your account. Don’t spread your password net too thin by expecting it to stop every hacker from all your accounts.
Data breaches happen all the time through no fault of your own. That means that your strongest password can get into the hands of hackers.
You don’t want to reset all your passwords when you find out your password is in the hands of hackers. Use a unique password every time.
Integrate Random Characters Instead Of Passphrases
“Random” is a strong word since it’s argued that humans cannot truly think “randomly.” However, a password like “F24!rankHsaieI34sSoO01CuGns24te” is much stronger than “FrankieIsSoCute.”
If you can’t remember a password like this off the top of your head and hate typing in long passwords, consider using a password manager!
Use A Password Manager
Most cyber-security specialists agree that password managers are the most secure way to protect your passwords.
When you use a password manager, you are empowered to create strong, unique passwords. Google Chrome also has a generate password and password manager feature for free.
Agency’s comprehensive personal cybersecurity plan also includes a password manager.
Cybersecurity is more than a password manager or antivirus. Robust cybersecurity is a toolbox of technological applications that cover possible vulnerabilities and remediate cyber attacks if they do occur.
The personal plan includes:
- 24/7 Active Security Monitoring & Response by U.S. Professionals
- VPNs
- Next-Gen Antivirus/EDR
- ID Theft Coverage
- Active Dark Web Monitoring
- Personal Information Removal
Try the first month free by signing up for the newsletter.
Protect yourself from cyber attacks like brute force attacks and more. Get Agency.