Brute force attacks, where cybercriminals try to guess usernames and passwords to access systems, are one of the oldest forms of online threat. Indeed, one could argue that the practice is as old as padlocks and safes with number combination locks. They are also extremely common – according to the Information Commissioner’s Office (ICO), in April 2023, there were 11,000 brute force attacks every second . Becoming a victim of such an attack can have a devastating impact, and in this post, we take a deeper look at what these attacks are, how they are carried out and what you can do to prevent them.
Contents
What are brute force attacks?
In their simplest form, a brute force attack is someone trying to gain access to your website or system by guessing your login credentials. In most cases, this is done by trial and error, with cybercriminals making repeated guesses until they get it right or give up.
Given the complexity of passwords and the trillions of possibilities, most cybercriminals don’t make random guesses. Many will make use of password dictionaries, i.e., lists of the most commonly used passwords in different languages and regions, as well as buying login credentials stolen during data breaches, from the dark web.
The common misconception of brute force attackers is that they are someone sitting at a keyboard constantly typing passwords into the login page. In reality, they are far more sophisticated than this. Like the businesses they are attacking, they too have access to advanced tools that automate the process, enabling credentials to be inputted at pace – some even use the cloud so that they can massively scale up their operations. These tools also utilise databases of stolen credentials and password dictionaries, so that they choose the most likely password and username combinations. Add to this the potential of AI to utilise that data to predict login credentials and the true scale of the threat becomes obvious.
The sophistication doesn’t stop there. Traditionally, one of the most effective ways to prevent a brute force attack is to use a firewall that can detect failed login attempts coming from the same IP address. When this happens, the IP is blocked, stopping the user from accessing the login page. Today, brute force attackers have various means to avoid this, such as using VPNs or taking over compromised computers elsewhere.
Don’t become a victim to malware, read: Tackling Cybersecurity Threats – Protecting Systems From Malware
Who do brute force attackers target?
Every brute force attacker has their own reasons for doing what they do. The motivation for carrying out an attack can include everything from teenagers wanting to deface their school website for a laugh, to state-sponsored gangs trying to disrupt national infrastructure. In between, you have criminals trying to steal user data, business intelligence and money or wanting to take control of systems for other purposes, such as to spread malware.
While everyone is a potential target, cybercriminals generally try to attack the most vulnerable systems as they are easier to access, or the ones that will enable them to achieve other objectives. Smaller companies are often chosen because they have less robust security measures than larger companies; healthcare, education, financial and e-commerce organisations are chosen for their sensitive personal data; and public sector, transport, utility, internet and financial organisations are chosen as attacks on them can be massively disruptive.
Brute force attackers will also target individuals within organisations – whether it is to get access to a politician’s emails, a CEO’s files, or a system admin’s user area, these can be highly lucrative attacks well worth the persistent effort.
Is your network secure? Read: 5 Top Tips to Ensure Network Security
Defending against brute force attacks
There is no single solution to defending against a brute force attack. Instead, companies need to put a range of measures into place to cover all weaknesses. The starting point is a strong password policy. As part of that policy, users should be forced to use long, complex passwords that contain upper and lowercase letters, numbers and special characters. These are much harder, even for sophisticated password-cracking tools, to guess correctly. Additionally, users must not use these passwords on any other accounts, and they should be changed regularly so that if anyone does get access to them, they will soon be out of date.
It is possible to make passwords even more complex by using hashing and salting tools. Hashing converts relatively simple and easy to remember passwords into long complex strings of characters, e.g. it can turn Steve-200578 into something like ‘572d811ea5d584bc6d497gg98491e47’. Salting adds strings of numbers before and after simple passwords so that even if users have the same password, the hash number will be different.
The next step is to use two-factor or multi-factor authentication. This protocol adds an extra layer of defence by requiring the user to add further information besides username and password when logging in. This can be a six-figure passcode sent by text or generated by an app, or biometric data, like a fingerprint or facial recognition. The advantage of additional authentication is that while a cybercriminal may have cracked the username and password, without physical access to the code on the user’s phone or their fingerprint, they still will not be able to gain entry to the account.
For more information, read: Two-Factor Authentication: Why You Need It for Your Web Hosting
Another important part of brute force defence is to implement a firewall. While smarter attackers may use VPNs, etc, to try and evade detection, these tools are clever enough to detect multiple failed login attempts from any IP and block them. Moreover, you can even set limits on the number of failed attempts and the length of time that IPs are blocked for. Additionally, you can permanently block IPs and restrict locations from where people visit. If all your employees are based in the UK, for example, you can block anyone trying to log in from other countries.
A simple but very effective anti-brute-force tool to use on a login page is CAPTCHA. By requiring the user to prove that they are human, it prevents automated systems from making login attempts and slows down anyone entering credentials manually.
One of the most effective ways to defend against brute force attacks is to choose a secure web host. Hosting providers, like Webhosting UK, have the in-house expertise and the most advanced tools to defend against every type of threat, including brute force attacks. They protect your systems around the clock with advanced firewalls and intrusion and malware prevention, while providing a range of other security features like free SSL certificates, email spam and malware filtering, backup solutions and more.
Conclusion
Brute force attacks have evolved from being crude, manual attempts to guess usernames and passwords to cloud-based, automated systems using algorithms trained on stolen login credentials. Defending against them has become increasingly difficult as their methods of attack have advanced. Hopefully, from reading this article, you’ll now understand how brute force attacks are carried out and the various ways you can protect your systems from them.
If you are looking for fast, affordable and reliable web hosting, backed by rock-solid security against brute force and other types of cyberattacks, visit our Web Hosting with cPanel page.