Brute Force Attacks
Last updated on December 20th, 2019
Unlike many other tactics used by bad actors, brute force attacks don’t rely on vulnerabilities within websites. Instead, these attacks rely on users having weak or guessable credentials to extract them. The simplicity involved and amount of targets make brute force attacks very popular.
Brute force attacks occur when a bad actor attempts a large amount of combinations on a target. These attacks frequently involve multiple attempts on account passwords with the hopes that one of them will be valid. It’s a bit like trying all of the possible combinations on a padlock, but on a much larger scale.
Passwords are not the only resource that can be brute forced: Links and directories, usernames, and emails are other common targets.
The objective of a brute force attack is to gain access to a resource otherwise restricted to other users. This can be an administrative account, password-protected page, or simply to enumerate valid emails on a given website.
Gaining access to a valid account can mean compromising the entire site, which bad actors can then use as part of their network of compromised websites.
The most common type of brute force attack is a dictionary attack and involves a list of credentials, typically by using common usernames and passwords to gain access to administrative accounts.
Usually generic dictionary attacks will try to login with the most commonly used credentials, such as “admin” and “123456.”
Common sense is important in identifying brute force attempts. Basically, if it appears someone is repeatedly and unsuccessfully trying to log in to an account, it’s likely an attempted brute force attack.
Signs can include:
The same IP address unsuccessfully trying to log in multiple times.
Many different IP addresses unsuccessfully trying to log in to a single account.
Multiple unsuccessful login attempts from various IP addresses in a short time period.
Gaining access to an administrative account on a website is the same as exploiting a severe vulnerability. Hackers will attempt to profit from their access, such as by adding spam, distributing malware, or phishing unsuspecting victims.
A generic brute force attack can use different methods, such as iterating through all possible passwords one at the time. This is commonly used on local files, where there are no limits to the number of attempts you have, as other attacks are commonly more successful at scale.
This attack uses a list of words and common passwords instead of going in randomly, building a “dictionary” of possible passwords and iterating through them. Using a good password list can help to improve the attackers success rates, but these attacks often require a large number of attempts against possible targets.
A hybrid attack uses both the dictionary attack and a regular iterative pattern. Instead of trying literally all passwords, it will perform small modifications to words in a dictionary, such as adding numbers or changing the case of letters.
With a growing amount of data breaches, password reuse is an easy way to compromise specific accounts reusing passwords.
Credential stuffing attacks have a low rate of success and primarily rely on lists of usernames and passwords commonly found from data breaches. Hackers use these lists to attempt to log in with these stolen credentials, stressing the importance of updating your username and password if your data has been involved in a breach.
Brute force relies on weak passwords. A strong password contains the following traits:
Unique: You should avoid reusing passwords, as websites get compromised and passwords will get cracked. By reusing passwords, attackers can more easily target you using your compromised credentials on other websites.
Long: Longer passwords mean more possible combinations before reaching it. Five-character passwords are easy to crack on pretty much any computer in a few seconds, 10 characters would take a few years, and 20 characters would take nearly forever.
Hard to guess: Snippets of information like your own name or the city where you live might make a password easier to remember, but it’s also easier to guess if someone gains any information about you. The same goes for common text, such as “12345” or “password,” which are commonly used in credentials, since they are easy to remember.
With these characteristics applied, brute force attempts will not be successful in guessing your password, and therefore you should be safe against them.
The same principles apply to recovery questions: If your recovery questions are weak, but your password is strong, it is easy for attackers to reset your password instead of guessing it.
A requirement for brute force attacks is to send credentials. If you change the login page URL — for example, moving from /wp-login.php to /mysite-login — this can be enough to stop most automated and bulk tools.
Unfortunately, this suggestion won’t work on advanced attacks if the link is guessable or if it’s visible on the page, but it’s an easy way to prevent automated attacks.
Brute force attacks rely on attempting multiple passwords and accounts. By restricting login attempts to a small amount per user, attackers won’t be able to try more than a few passwords.
A common way to restrict login attempts is to temporarily ban an IP from logging in after five failed login attempts, where subsequent attempts at a login will be blocked.
Captchas are a good way of preventing bots and automated tools from doing actions on your website by giving them challenges before they even can attempt a login. As the challenge is designed to be solved by humans, robots have a hard time passing them which blocks their attacks.
2FA adds another layer of security to your login form. Once you login with appropriate credentials, you will need to enter a code which can only be accessed by you, such as an email or a unique code generated by an authentication tool.
This additional layer prevents anyone who has successfully obtained your credentials from accessing your account without a secondary piece of authentication.
You might also make a little extra effort toward security by setting up two-factor authentication or putting your website behind a web application firewall (WAF). A firewall essentially stops bad actors dead in their tracks.
Learn how to identify issues if you suspect your WordPress site has been hacked.Watch Now
Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.Sign Up
Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.Read Now
Learn security best practices for WordPress websites to improve website posture and reduce the risk of a compromise.See Now