Understanding Brute Force Attack Prevention
In the hacker community, gaining access is the Holy Grail. With login credentials, attackers are able to achieve huge financial gains through the distribution of spam and malware. They can integrate complex attack sequences which could include various toolkits like the Blackhole Exploit kit. In the process, the cracker brings about damages to your brand, your visitors, and online presence.
Every Website Suffers Brute Force Attacks
The time between a brand new website going live and the first malicious login attempts is a few weeks at most. These login attempts come from automated botnets that are programmed to crawl the internet for websites and locate their login panels using preset conditions. The attacks are not targeted, and are not carried out manually. Once a login panel is found, tools are used to repeatedly guess passwords with the goal of gaining access. These bots work incredibly fast and the crackers that control them have huge amounts of data that help the computer guess more efficiently. Once the bot finds the matching password, the attacker can upload a shell, create new accounts, change passwords, upload malicious payloads, and totally destroy your business.
Due to the potential number of requests being sent, a brute force attack can actually function similarly to a DoS attack, taking many sites down due to high utilization of CPU/memory. The Sucuri Website Firewall prevents this from happening by filtering requests and using caching to speed up your website.
There is often a time delay once access is gained. This makes sense, as it allows for the traffic to die down and for the server logs to disappear, leaving no trace of the attacker. We have seen this too often. Some hosts will only retain up to 7 days of logs, and in some instances no more than 24 hours. This means that if they wait long enough, they can log in whenever they like and website owners are none the wiser. This makes incident handling difficult to achieve.
About Strong Passwords
A very strong password does make it difficult for a brute force attack to be successful, but not impossible. Not only are we humans bad at choosing passwords, but there crackers continue to improve the password guessing game in a number of ways.
With less than one hundred characters on a typical keyboard, a very basic brute force attack will attempt to guess every possible combination of these characters until access is granted. This method works quickly if the password is short, but can be exhausting with longer passwords. To account for longer passwords, a dictionary attack is more common. Instead of guessing all the possible character combinations, it uses lists of common words from dictionaries and literature. The tools that hackers use to perform dictionary attacks are getting smarter and more complex every day.
Many companies have suffered password breaches, and attackers often release lists of passwords for other hackers to take advantage of. It's a trend that promises to continue, meaning that all the most common passwords are easily breakable within seconds. It isn't just the weak passwords, either. The tools used to perform dictionary attacks are highly customizable and the number of word lists have made it almost impossible to ensure that your password is a sufficient lock on your website. Breaches will continue to occur. Hackers look over the password dumps to reveal tricks that savvy people use to make their passwords memorable and strong at the same time.
Password Cracking Tools
There are a large selection of password cracking tools available to attackers looking to break into your website. The tools have various attack modes to make the attack efficient, and to cover as much ground as possible. For example, combinator attacks combine existing words from password lists. Mask attacks know how humans design passwords, and try common patterns from word lists. With computers able to guess passwords at hundreds of millions per second, the scary reality is that so-called strong passwords are crackable in under an hour of repeated attempts.
Hackers who steal password databases originally have a list of encrypted passwords. Passwords should never be stored in plain text, but often the same two encryption methods are used (MD5 or SHA1). These algorithms are easily reversed, allowing the attacker to create pre-computed rainbow tables that can match the encrypted output with the plain text password.hash
Most often, brute-force attacks are not targeted, but when they are, it is even more dangerous. Attackers can use information about website adminstrators and users through phishing lures, online profiles, and previous password dumps associated with the user email address. From here, crackers can make custom rule-based attacks that can leave you and your website completely exposed.