Fifth post of the Cyber Security Introduction series. Let's talk about Bruteforce attacks. Looking at how it happens, how you can prevent it and the impact it can have on businesses.
A Bruteforce attack is when a perpetrator will test many username and / or password combinations to gain access to a system. A good analogy would be trying out every combination on a four digit padlock with the exception that a computer can do it much faster.
This kind of attack can be used to gain access to various services.
- Modem / Router configurations
- WiFi Networks
- Decrypt passwords of encrypted storage
- Protocol logins (FTP, MySQL, SMTP, Telnet)
- User accounts (online storage, emails, banking)
- IOT Devices
Let's take a look at the various types of Bruteforce attacks:
Simple Bruteforce Attack - This will use no logic and just try every possible combinations.
Hybrid Bruteforce Attack - This will use basic logic to figure out what combinations to use. For example trying all combinations longer than 5 characters and containing at least one number.
Dictionary Bruteforce Attack - The attack will try combinations coming from a list. Usually this would be a list of the most common usernames and passwords.
Rainbow Bruteforce Attack - This attack uses rainbow tables which are a list of pre-computed hash results and reducing functions. This helps determine various possibilities for passwords when a hash is accessible.
Reverse Bruteforce Attack - This attack is based on knowing a parameter and trying to find a match. This will usually be used when the username is known.
Credential Recycling - Here an attacker would use already available credentials (from past data breach, hacks, etc.) to see if they will authenticate the user successfully.
Don't use personal information - It can be tempting to use names of family members, animals or birthdays as it makes passwords easier to remember. But keep in mind that this information is very easy to find through Social Engineering or online searches.
Make your password original - Try to use variance and include letters, numbers and symbols. This forces attackers to try numerous combinations which can be very time consuming.
Example below of the time required to Bruteforce a password depending on complexity.
Don't re-use passwords - Try to never use the same password as if it is leaked once then all your accounts are compromised. This can be very dangerous especially if your e-mail account gets compromised as it is used in most password recoveries. You can look into using password managers to help you manage all variations. You can try to check if your email has appeared in past breaches here: https://haveibeenpwned.com/
Use Multi Factor Authentication (MFA) - Most big services have implemented the MFA principle. This means if there is an irregular login you will be required to authorize it through an alternative system (usually SMS).
Don't use common passwords - Passwords that are in the most used password list should never be used. This list can be found here: https://nordpass.com/most-common-passwords-list/
Encrypt Data and Hash Passwords - Important user data in database should be encrypted and passwords should always be hashed! Here are the recommender algorithms by OWASP: Argon2id, PBKDF2, Bcrypt.
Implement 2FA or MFA - Whenever possible enable / implement two-factor authentication or multi-factor authentication. You can then force this to be triggered when there has been one failed password usage for the account.
Account Lockout - Consider blocking access to accounts after a certain number of failed connection attempts. The user would then have to access an email to unlock the account.
Captcha - Yes the devil is here! But you don't have to have the captcha active all the time you can require it after X failed attempts to mitigate any Bruteforce attacks.
Geo-loc - It is good to track the location (IP lookup) of your users. If you detect someone trying to login from another country you can then require 2FA or MFA to kick in to make sure it is the owner connecting. This could also trigger a lock out protocol as seen above.
Change default passwords - Many services come with root accounts that have a default password (admin:admin, mysql:root, etc.). These passwords should ALWAYS be changed.
Check on compromised users - You may want to look at APIs like Have I Been Pwned, Breach Alarm, DeHashed to see if your users or employees appear in new breaches and force them to update their passwords.
Depending on the type of account that is successfully accessed a breach via Bruteforce Attack can be devastating. For instance if the root account of a MySQL service is hijacked this can lead to database dumps and modifications.
In some cases such as IOT the device could be hijacked and then used as part of a Botnet. Through the course of 2020 the infection of IOT devices has grown by more than 100%. A lot of these attacks are successful due to unchanged default credentials.
As Bruteforce attacks in some cases require the trial of millions on combinations, it may lead to a unintentional Denial of Service or Distributed Denial of Service attacks which could also harm your services.
Pixium Digital is an agile software development company with their headquarters located in Singapore. We focus on shaping our clients project from ideas to successful project launch.
Cyber Security is a big part of any project we have to deliver. Very often we have been the witness of lack of awareness or caution from various providers or clients we have worked with. We aim to share those little tips to the community so that with everyone's effort, we can make the web a safer place.