Brute Force Attacks: How to Defend Against Password Cracking

Does Brute Force Password Cracking Still Work?

If you challenged a friend to crack your password, they’d probably try entering some of the most commonly used passwords, your child’s name, your date of birth, etc.

If you challenged a seasoned hacker to crack your password, they’d probably do it in under a minute, thanks to their brute force techniques.

What’s brute force?

A brute force attack is an illegal, “black-hat” attempt by a hacker to obtain a password or a PIN.

It uses several repetitive trial-and-error attempts to guess the password to break into a website or a service. These attempts are quick and vigorous and are carried out by bots.

A report by eSentire says that brute force attacks increased by 400% in 2017. While some of these attacks were blocked, a majority of them were able to gain unauthorized access to user accounts.

How does a brute force attempt work?

Most websites require a password of minimum eight characters. As you add another character to your password, its complexity increases and it becomes even more difficult for brute force hackers to break into the system.

Let’s say you choose eight alphanumeric characters for your password. This includes uppercase and lowercase letters, along with numbers.

The possible character set you’ll use will be 26 x 2 alphabets (uppercase + lowercase) = 52 characters. Add 10 numbers to it and the possible character set will have 62 characters.

So, an eight-character password that has uppercase and lowercase letters and numeric digits, it will take 62⁸ attempts. This comes out to be about 218 trillion combinations.

If a bot attempts one combination per second, it will take about 218 trillion seconds or 7 million years to crack that password. That means your eight-character password is safe, right?

Not really.

With say a computer can perform 1,000 combinations in a second. The total time for breaking your password will now be reduced to seven thousand years.

Still safe, right?

Not so fast.

With a supercomputer that performs 10⁹ combinations per second, it can test all your combinations in just 22 seconds!

Here’s a calculator you can use to find out how long will it take for a brute force attack to break your password using a regular PC.

Tools of the trade.

While common people don’t have access to supercomputers, hackers are not people who’d want to go through your email accounts for some juicy gossip.

They are serious criminals that have high computing power to break through millions of bank account details and credit card numbers.

So, yes, such an attack is entirely possible.

Do brute force attacks still work?

Most certainly!

While it might not be possible to try all the combinations manually, hackers have devices with the computing powers of supercomputers and they can hack into any weak passwords to gain access to financial and other sensitive data.

That’s why you hear news of online break-ins and cyber espionage almost every day.

What should web administrators do?

It’s important for the web admins to “salt and hash” all passwords—a technical procedure that thwarts hackers—so that if they did break into a network, they’d be unable to get access to all user accounts.

What should users do?

Use different character sets: As a user, you should use a long password with a combination of uppercase and lowercase alphabets, numbers, and special symbols.

With each additional character, the brute force algorithm has to work harder to crack the password.

Come up with cryptic(mysterious) words and phrases: The more information a hacker has, the easier it is for them to crack your password.

There are some common passwords that people choose. Seasoned hackers try all these passwords first to see if it lets them in. While the most commonly used passwords are qwerty and 123456, common English words can easily be guessed.

This is why most experts suggest using cryptic messages that aren’t everyday words or phrases.

Keep different passwords: Use different passwords for different websites. This way, if a hacker gains access to one password, your other accounts will still be safe.

Use a password manager: A password manager, which is an online service, will not just remember your passwords, but it also will recommend strong passwords for your new accounts. You’ll just have to create and remember one master password. The password manager will take care of the rest.

Use two-factor authentication: Activate two-factor authentication so anyone trying to steal your password will also need access to your phone. This adds a level of security and makes stealing passwords even more difficult.

Brain Power

Brute force attacks are very real and still happen. In fact, with increased computing power, it has become even easier for hackers to carry off these attacks with ease.

Make sure you have a strong (and long) password that can stay safe from such attacks.

Better yet, as mentioned before, probably your best move is to use a password manager, make life simpler and frustrate a few hackers.

You can get more information on leading password managers here.