We all love social media; I sure know I do! Nothing like learning every little detail of our loved one’s lives and sharing back! Who knew Shelly’s favorite color was green? Mine is orange! She also got a new dog named Fluffy-Royal! Well, my little pup…looks just like Fluffy-Royal! Her name is Blue! While all of this keeps us in the “loop” it can put us at danger of Brute Force Attacks, a type of password attack.
We investigated some of the most common types of phishing and how our personal information can be used in a targeted attack. Phishing such as a Man-in-the-Middle Attack is used to “steal” passwords. However, it is not the only way threat actors can get their hands on your passwords.
In this article we are going to look at password attacks, mainly Brute Force Attacks. But, first let’s investigate a password attack.
Password Attacks
A password attack is when threat actors try to “crack” password to access accounts, devices, and/or networks. Thus, providing them with access to confidential information. Applications that speed up the “cracking” of passwords to maliciously authenticate into password-protected accounts, devices and/or networks are often used.
Before we go over the different brute force attacks, we need to look at how to protect yourself from password attacks!
How to protect against Password Attacks
Ultimately, the best defense is to make sure that you follow basic rules for strong passwords!
- Use a Password Manager
- Use Long Unpredictable Passwords
- Avoid Dictionary Words
- Use Complex Passwords
- Use Multi-Factor Authentication (MFA)
- Use Biometrics to Authenticate
- Be alert! Identify phishing attempts!
- DO NOT Reuse Passwords!
- NEVER use Personal Information for Passwords!!
- Everyone knows your child’s birthday! (you probably told them!)
- Hire Us!
Brute Force Attack
Brute Force Attacks are among the most common and easiest methods for threat actors to gain access to accounts, devices and/or networks. Which is why they’re so widespread. A simple yet reliable tactic for gaining unauthorized access to individual accounts, devices and/or networks. Threat actors use “brute force” or repetitive attempts to gain access into password protected accounts.
Traditional brute force attacks try to “crack” passwords character by character. However, in today’s Brute Force Attacks, threat actors use password-cracking applications. Which try all possible, letters, number, and symbol sequences, until hitting the correct combination to gain access to the account, device or network.
Password-cracking applications can rapidly guess these combinations, detect weak passwords and “crack” them. This can be extremely difficult and time-consuming for anyone to do on their own. However, with password-cracking applications, a typical brute force attack makes hundreds of guesses every second!
A threat actor can always discover a password through a Brute Force Attack. The disadvantage for the threat actor is that it could take years to discover. Depending on the password’s length and complexity, there can very easily be billions of possible combinations!
Types of Brute force attacks
Simple brute force attacks
A simple brute force attack occurs when a threat actor tries to guess your login credentials manually without the use of software. This is typically conducted using basic password combinations or personal identification number (PIN) codes.
These attacks are simple if you still use weak passwords, such as “password123” or “1234.” Poor password practices, such as using the same password for multiple websites. Leaving default passwords on devices such as routers. Your passwords can be guessed with minimal investigative work these days! Information such as the name of your favorite sports team, children’s name, year of graduation, date you got married, and default passwords are easy to find!
Dictionary attacks
While dictionary attacks are a type of brute force attack, there is a key difference. Whereas traditional brute force attacks try to “crack” your password character by character. Dictionary attacks make their way through a list of frequently used words and/or phrases. This can play a significant role in a threat actor’s password-cracking process!
More advanced attacks use details personalized to you, details that are easy to find online. Honestly, it can take moments to discover your favorite band from your music profile or your pet’s name from a social media account.
Threat actors run through dictionaries and then manipulate words with special characters and numbers. So, the threat actors start with “IHatePasswords” then will try “IHateP@ssword.” If that does not work? They then will try “IHateP@55word” and so on.
Hybrid brute force attacks
Hybrid brute force attacks combine a dictionary attack with a simple brute force attack. It starts with the threat actor having your username/s. The threat actor then uses, dictionary and simple, brute force methods to discover account login combinations.
In this attack, threat actors use a list of common or popular words then use character, letter, and number combinations to find your correct password. This approach allows threat actors to discover your passwords that combine frequently used words with numbers, years, or random characters, such as “YORDOGSNAME123” or “YOURCHILDSNAME2024.”
Reverse brute force attacks
Reverse brute force attacks begin with a known password. Threat actors could have stolen your password through an earlier successful phishing attack. The threat actor then uses your password to search for a matching login credential using lists of millions of usernames. Also, commonly used, weak passwords, such as “password123 or admin,” are used to search through a database of usernames for a match.
Credential stuffing
Credential stuffing preys on your weak password tendencies. Threat actors collect username and password combinations they have stolen from you. They then test your stolen credentials on other websites to see if they can gain access to more accounts. This method is successful if you use the same username and password combination for different accounts such as your social media profile, Wi-Fi password and email password.
Password Spraying Attacks
Password spraying is a type of brute force attack that works by trying to access accounts, devices, and/or networks by “spraying” a password across multiple accounts. As its name shows, this form of attack targets thousands or even millions of different users and accounts at once with the same password, rather than just one account. Spreading the login tries across multiple users and/or organizations, rather than just one, lessens the risk. It allows the threat actor to avoid being caught by lockout policies, triggered by repetitive failed login attempts.
Rainbow Table Attacks
To understand how a rainbow table attack works you need to understand “hashing,” Hashing is the process of mathematically converting and encrypting passwords. Passwords are stored as cryptographic (secret form) sequences of characters. When you enter your password, it is automatically “hashed” into your system. When you use your password, the hashed value is compared to what is stored within the system. So, if anyone else were to see the database of your stored passwords, they would see the encrypted or hashed values, not the actual passwords.
Rainbow table attacks are like dictionary attacks. But a rainbow table is used rather than a list of dictionary words. A rainbow table is the key to “un-hash” hashed passwords. Precomputed hash functions are stored alongside their hashed values. This allows threat actors to compare values against a rainbow table and “un-hash” your hashed passwords. Rainbow tables that have solutions to common hashing algorithms can be found on the dark web as well as generated using automated tools.
In conclusion
Brute Force Attacks are among the most common and easiest methods of “cracking” passwords. Widespread and simple, yet a reliable tactic in gaining unauthorized access to your password protected accounts, devices, or network. Threat actors use “brute force” or repetitive attempts to “crack” your passwords.
In today’s Brute Force Attacks, password-cracking applications are usually used to try all possible letters, number, and symbol sequences, until hitting the correct combination to gain access to the account, device or network. A threat actor can always discover a password through a Brute Force Attack but there are ways to protect yourself!
Have you been a victim of a Brute Force Attack? We would like to help! Contact Us!