While some attackers still perform brute force attacks manually, today almost all brute force attacks today are performed by bots. Attackers have lists of commonly used credentials, or real user credentials, obtained via security breaches or the dark web. Bots systematically attack websites and try these lists of credentials, and notify the attacker when they gain access.<\/p>\n
Types of Brute Force Attacks<\/h2>\n\n- Simple brute force attack<\/strong>\u2014uses a systematic approach to \u2018guess\u2019 that doesn\u2019t rely on outside logic.<\/li>\n
- Hybrid brute force attacks<\/strong>\u2014starts from external logic to determine which password variation may be most likely to succeed, and then continues with the simple approach to try many possible variations.<\/li>\n
- Dictionary attacks<\/strong>\u2014guesses usernames or passwords using a dictionary of possible strings or phrases.<\/li>\n
- Rainbow table attacks<\/strong>\u2014a rainbow table is a precomputed table for reversing cryptographic hash functions. It can be used to guess a function up to a certain length consisting of a limited set of characters.<\/li>\n
- Reverse brute force attack<\/strong>\u2014uses a common password or collection of passwords against many possible usernames. Targets a network of users for which the attackers have previously obtained data.<\/li>\n
- Credential stuffing<\/strong>\u2014uses previously-known password-username pairs, trying them against multiple websites. Exploits the fact that many users have the same username and password across different systems.<\/li>\n<\/ul>
Hydra and Other Popular Brute Force Attack Tools<\/h2>\n
Security analysts use the THC-Hydra tool to identify vulnerabilities in client systems. Hydra quickly runs through a large number of password combinations, either simple brute force or dictionary-based. It can attack more than 50 protocols and multiple operating systems. Hydra is an open platform; the security community and attackers constantly develop new modules.<\/p>\n
![\"Hydra](\"https:\/\/www.imperva.com\/learn\/wp-content\/uploads\/sites\/13\/2018\/01\/hydra-brute-force-attack.png\")
Hydra brute force attack<\/p><\/div>\n
Other top brute force tools are:<\/h3>\n\n- Aircrack-ng<\/strong>\u2014can be used on Windows, Linux, iOS, and Android. It uses a dictionary of widely used passwords to breach wireless networks.<\/li>\n
- John the Ripper<\/strong>\u2014runs on 15 different platforms including Unix, Windows, and OpenVMS. Tries all possible combinations using a dictionary of possible passwords.<\/li>\n
- L0phtCrack<\/strong>\u2014a tool for cracking Windows passwords. It uses rainbow tables, dictionaries, and multiprocessor algorithms.<\/li>\n
- Hashcat<\/strong>\u2014works on Windows, Linux, and Mac OS. Can perform simple brute force, rule-based, and hybrid attacks.<\/li>\n
- DaveGrohl<\/strong>\u2014an open-source tool for cracking Mac OS. Can be distributed across multiple computers.<\/li>\n
- Ncrack<\/strong>\u2014a tool for cracking network authentication. It can be used on Windows, Linux, and BSD.<\/li>\n<\/ul>\n
Weak Passwords that Enable Brute Force Attacks<\/h2>\n
Today, individuals possess many accounts and have many passwords. People tend to repeatedly use a few simple passwords, which leaves them exposed to brute force attacks. Also, repeated use of the same password can grant attackers access to many accounts.<\/p>\n
Email accounts protected by weak passwords may be connected to additional accounts, and can also be used to restore passwords. This makes them particularly valuable to hackers. Also, if users don\u2019t modify their default router password, their local network is vulnerable to attacks. Attackers can try a few simple default passwords and gain access to an entire network.<\/p>\n
Some of the most commonly found passwords in brute force lists include: date of birth, children\u2019s names, qwerty, 123456, abcdef123, a123456, abc123, password, asdf, hello, welcome, zxcvbn, Qazwsx, 654321, 123321, 000000, 111111, 987654321, 1q2w3e, 123qwe, qwertyuiop, gfhjkm.<\/p>\n
Strong passwords provide better protection against identity theft, loss of data, unauthorized access to accounts etc.<\/p>\n
How to Prevent Brute Force Password Hacking<\/h2>\n
To protect your organization from brute force password hacking, enforce the use of strong passwords. Passwords should:<\/p>\n
\n- Never use information that can be found online (like names of family members).<\/li>\n
- Have as many characters as possible.<\/li>\n
- Combine letters, numbers, and symbols.<\/li>\n
- Be different for each user account.<\/li>\n
- Avoid common patterns.<\/li>\n<\/ul>\n
As an administrator, there are methods you can implement to protect users from brute force password cracking:<\/p>\n
\n- Lockout policy<\/strong>\u2014you can lock accounts after several failed login attempts and then unlock it as the administrator.<\/li>\n
- Progressive delays<\/strong>\u2014you can lock out accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.<\/li>\n
- Captcha<\/strong><\/a>\u2014tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.<\/li>\n
- Requiring strong passwords<\/strong>\u2014you can force users to define long and complex passwords. You should also enforce periodical password changes.<\/li>\n
- Two-factor authentication<\/strong><\/a>\u2014you can use multiple factors to authenticate identity and grant access to accounts.<\/li>\n<\/ul>\n
Hydra and Other Popular Brute Force Attack Tools<\/h2>\n
Security analysts use the THC-Hydra tool to identify vulnerabilities in client systems. Hydra quickly runs through a large number of password combinations, either simple brute force or dictionary-based. It can attack more than 50 protocols and multiple operating systems. Hydra is an open platform; the security community and attackers constantly develop new modules.<\/p>\n
Hydra brute force attack<\/p><\/div>\n
Other top brute force tools are:<\/h3>\n\n- Aircrack-ng<\/strong>\u2014can be used on Windows, Linux, iOS, and Android. It uses a dictionary of widely used passwords to breach wireless networks.<\/li>\n
- John the Ripper<\/strong>\u2014runs on 15 different platforms including Unix, Windows, and OpenVMS. Tries all possible combinations using a dictionary of possible passwords.<\/li>\n
- L0phtCrack<\/strong>\u2014a tool for cracking Windows passwords. It uses rainbow tables, dictionaries, and multiprocessor algorithms.<\/li>\n
- Hashcat<\/strong>\u2014works on Windows, Linux, and Mac OS. Can perform simple brute force, rule-based, and hybrid attacks.<\/li>\n
- DaveGrohl<\/strong>\u2014an open-source tool for cracking Mac OS. Can be distributed across multiple computers.<\/li>\n
- Ncrack<\/strong>\u2014a tool for cracking network authentication. It can be used on Windows, Linux, and BSD.<\/li>\n<\/ul>\n
Weak Passwords that Enable Brute Force Attacks<\/h2>\n
Today, individuals possess many accounts and have many passwords. People tend to repeatedly use a few simple passwords, which leaves them exposed to brute force attacks. Also, repeated use of the same password can grant attackers access to many accounts.<\/p>\n
Email accounts protected by weak passwords may be connected to additional accounts, and can also be used to restore passwords. This makes them particularly valuable to hackers. Also, if users don\u2019t modify their default router password, their local network is vulnerable to attacks. Attackers can try a few simple default passwords and gain access to an entire network.<\/p>\n
Some of the most commonly found passwords in brute force lists include: date of birth, children\u2019s names, qwerty, 123456, abcdef123, a123456, abc123, password, asdf, hello, welcome, zxcvbn, Qazwsx, 654321, 123321, 000000, 111111, 987654321, 1q2w3e, 123qwe, qwertyuiop, gfhjkm.<\/p>\n
Strong passwords provide better protection against identity theft, loss of data, unauthorized access to accounts etc.<\/p>\n
How to Prevent Brute Force Password Hacking<\/h2>\n
To protect your organization from brute force password hacking, enforce the use of strong passwords. Passwords should:<\/p>\n
\n- Never use information that can be found online (like names of family members).<\/li>\n
- Have as many characters as possible.<\/li>\n
- Combine letters, numbers, and symbols.<\/li>\n
- Be different for each user account.<\/li>\n
- Avoid common patterns.<\/li>\n<\/ul>\n
As an administrator, there are methods you can implement to protect users from brute force password cracking:<\/p>\n
\n- Lockout policy<\/strong>\u2014you can lock accounts after several failed login attempts and then unlock it as the administrator.<\/li>\n
- Progressive delays<\/strong>\u2014you can lock out accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.<\/li>\n
- Captcha<\/strong><\/a>\u2014tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.<\/li>\n
- Requiring strong passwords<\/strong>\u2014you can force users to define long and complex passwords. You should also enforce periodical password changes.<\/li>\n
- Two-factor authentication<\/strong><\/a>\u2014you can use multiple factors to authenticate identity and grant access to accounts.<\/li>\n<\/ul>\n
Weak Passwords that Enable Brute Force Attacks<\/h2>\n
Today, individuals possess many accounts and have many passwords. People tend to repeatedly use a few simple passwords, which leaves them exposed to brute force attacks. Also, repeated use of the same password can grant attackers access to many accounts.<\/p>\n
Email accounts protected by weak passwords may be connected to additional accounts, and can also be used to restore passwords. This makes them particularly valuable to hackers. Also, if users don\u2019t modify their default router password, their local network is vulnerable to attacks. Attackers can try a few simple default passwords and gain access to an entire network.<\/p>\n
Some of the most commonly found passwords in brute force lists include: date of birth, children\u2019s names, qwerty, 123456, abcdef123, a123456, abc123, password, asdf, hello, welcome, zxcvbn, Qazwsx, 654321, 123321, 000000, 111111, 987654321, 1q2w3e, 123qwe, qwertyuiop, gfhjkm.<\/p>\n
Strong passwords provide better protection against identity theft, loss of data, unauthorized access to accounts etc.<\/p>\n
How to Prevent Brute Force Password Hacking<\/h2>\n
To protect your organization from brute force password hacking, enforce the use of strong passwords. Passwords should:<\/p>\n
- \n
- Never use information that can be found online (like names of family members).<\/li>\n
- Have as many characters as possible.<\/li>\n
- Combine letters, numbers, and symbols.<\/li>\n
- Be different for each user account.<\/li>\n
- Avoid common patterns.<\/li>\n<\/ul>\n
As an administrator, there are methods you can implement to protect users from brute force password cracking:<\/p>\n
- \n
- Lockout policy<\/strong>\u2014you can lock accounts after several failed login attempts and then unlock it as the administrator.<\/li>\n
- Progressive delays<\/strong>\u2014you can lock out accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.<\/li>\n
- Captcha<\/strong><\/a>\u2014tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.<\/li>\n
- Requiring strong passwords<\/strong>\u2014you can force users to define long and complex passwords. You should also enforce periodical password changes.<\/li>\n
- Two-factor authentication<\/strong><\/a>\u2014you can use multiple factors to authenticate identity and grant access to accounts.<\/li>\n<\/ul>\n
- Progressive delays<\/strong>\u2014you can lock out accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.<\/li>\n
- Lockout policy<\/strong>\u2014you can lock accounts after several failed login attempts and then unlock it as the administrator.<\/li>\n