Brute force passwords (bruteforce - brute - force hacking) - what is it and how relevant is it?

[Father]

Table of contents

1. Mechanics of brutters work
2. Brute force protection at the user level
3. Resource-level protection against bruters
4. Results

Brute force is a method of hacking accounts and accounts based on password selection. The method is based on the "Infinite Monkey Theorem", which states that if a monkey (in our case, a program) randomly presses the typewriter buttons (fill in the password input window), then sooner or later it will reproduce Shakespeare's poem (choose the right combination).

Despite the primitiveness of the "force" method, it remains quite relevant due to its ease of use and effectiveness under "favorable external conditions": the absence of brute-force protection systems and weak passwords.

In this article, we will analyze the main features of modern brutters, as well as methods of protecting against them.: both at the infrastructure level and at the user-specific level.

Mechanics of brutters work​

In its purest form, all mechanics consist of one action: substitution of combinations. A variety of password libraries and dictionaries are used to speed up and organize this process.

Dmitry Kovalev
Head of the Information Security Department at Sissoft

Brute force is the most primitive way of selecting a password. It's the easiest way to protect yourself from it. The fact is that in this case, various brute-force dictionaries are used to crack and iterate through password options. In other words, the more complex and longer the password, the harder it is to find it through brute force. If the password consists of 16 characters, including numbers, special characters, upper and lower case, it will already be sufficiently protected.

Two basic metrics for brute-forcing are the library size and password matching speed. In the absence of security tools, the speed is limited not only by the capabilities of the malware, but also by the load that the hacked service can withstand.

Brute as a password cracking method is popular, first of all, because it requires a minimum set of skills on the part of the attacker. Just install the brutter and library, set the necessary parameters in the program, and wait for the result. But there are also three significant disadvantages:

1. The first one is typical for " newcomers "who, upon the request" download brute force", are very likely to receive not the desired software, but an n-th number of malware and a miner bot.
2. If the password is complex, you will have to wait from several months to several million years for the result.
3. Software solutions for brute-force protection do not require large investments, they simply integrate and reliably solve this specific task.

Alexander Sanin
Commercial Director of Avanpost Company

Brute force remains relevant, as not all systems are equipped with protection against such hacking. However, if brute force doesn't work for a few minutes now, then it's easier for an attacker to launch other mechanisms for obtaining unauthorized access. For example, phishing, hacking privileged accounts, or injecting malicious software. There are plenty of alternative ways for hackers to break into the infrastructure.

If you have a lot of tools for leveling attempts to find out the password using brute force, a lot of people neglect them, even if the service allows you to connect, for example, two-factor authentication. The main reason is that security tools, in some cases, reduce the speed of authentication or make this process less convenient.

Brute force protection at the user level​

The easiest way to protect your account is to enable two-factor authentication (if you have such functionality). In this case, knowing the password itself does not give the attacker any special opportunities to log in to the account.

No less effective, but more expensive in terms of effort, is to create a strong password. A strong password is one that contains letters in different cases, special characters, and numbers that are at least 8 characters in size.

Sergey Voldokhin
Director of Anti-Phishing LLC

The speed of brute-force password cracking can range from two seconds to five months and depends on the password length, character set, and system response time to entering an incorrect password.

Everyone knows the basic guidelines for password length and composition, but what really helps to increase the time of hacking? In fact, it is a person's ability to invent and remember complex passwords. How to do it? Sharing one of the techniques:

Step 1. Choose the original expression (it can be based on your goal or what is important for you for the next month)
Example: Sports 2 times a week

Step 2. Create a phrase in English (the meaning of the phrase should be clear to you)
Example: Training twice a week

Step 3. Shorten the words and add uppercase (so that you can remember it comfortably, and also randomly translate several letters to uppercase)
Example: Tng 2 tImes a wEek

Step 4. Add a few numbers and special characters to the password
Example: Tng 2 tImes @ wE3k

Step 5. We get a strong password and each time we enter it, we remember our goal and move
forward Example: Tng2tImes@wE3k

The use of mnemonic password storage methods solves the problem of brute force, since password selection, although theoretically possible, will take several centuries.

However, this does not solve the problem of obtaining passwords through phishing, exploiting vulnerabilities, or other methods. Therefore, it is recommended to change the password at certain intervals, from one month to six months, and use different passwords for different resources. Due to the fact that it is quite difficult to constantly remember several complex password options, a variety of password managers are popular.

Resource-level protection against bruters​

You can create conditions for minimizing the effectiveness of brute force almost without investment, creating effective requirements for users to create a password. The basic requirements relate to:

• minimum number of characters;
• using upper and lower case characters;
• number of duplicate characters;
• content of numbers and special characters.

Such conditions increase the overall level of password security, but do not solve the problem for everyone, since the user can still set a password in the format: "Lastname of Birth!".

Alexander Gerasimov
CISO Awillix

If we are looking at a simple web application with an authentication form, then the speed of brute-forcing the password will depend on how fast the web application and database processes requests. On average, without server load, the search speed is about 10 passwords per second. By increasing the number of concurrent requests per unit of time, you can increase the search speed, but there is a risk of denial of service due to a large number of database connections.

Different approaches and tools can be used to protect against brute-force attacks.For example, blocking multiple requests can be implemented at the software level. The developer can come up with a blocking algorithm based on various metrics and their combination: the source IP address, user-agent, and cookie values. A similar mechanism can be used for external services, such as QRATOR or Cloudflare. These services allow you to set various rules that will block or additionally check users. CAPTCHA tests are also one of the most effective ways to increase password search time.

A more advanced security mechanism is to create rules and patterns that identify a login attempt as suspicious or illegitimate. The definition can be based on the difference in IP addresses, the number of password entries, their frequency, and many other metrics.

However, the two most expensive (in terms of resources) methods show the greatest efficiency – the introduction of two-factor identification mechanisms and CAPTCHA tests.

If we talk about professional attacks, which are characterized by a high level of execution and technical competence of the attacker, then brute force acts only as an element of the attack. If it doesn't give results from the first minute, then the hacker moves on to other tools.

The second common use case for password cracking applications is the use of brutters to solve local problems. For example, selecting a password for an unsecured Wi-Fi network.

Results​

The relevance of brute-force methods" in general " directly depends on the overall level of digital literacy. In an ideal world, where each user uses unique strong passwords, any brute force will take too much time, even without implementing special security tools.

Ksenia Rysaeva
Head of the Group of Analysts at the Cyberart Threat Prevention Center, Innostage Group of Companies

The brute-force method remains one of the most popular ways to crack passwords to accounts in social networks, e-mail, online banks, payment systems, and other web resources. As long as all of them do not set up profile systems for blocking automatic password selection, brute force will remain relevant. Other authentication mechanisms, such as the same fingerprint, remain an alternative, but password authentication does not disappear, but only fades into the background.

At the same time, autopilot can be fast and effective in cases where the attack is targeted, and a personalized library is compiled based on OSINT intelligence data before launching the brutus. However, such a personalized approach is quite expensive, so it is unlikely to have a mass character.

Despite all the simplicity and "clumsiness" of the brute-force method, it remains a relevant tool for hacking accounts in cases where the company does not use security tools against auto-selection, and the user sees no reason to set a strong password.