Brute Force

Brute force is one way to identify the correct string of characters that comprise a password value. Password cracking with brute force methods cycles through all possible characters until the proper value for a password is found. Some brute force methods use dictionary terms to cycle through passwords, while others cycle through all possible character combinations.

Most user credentials contain a username and password. A username might be stored in plaintext or known after a phishing scam. Passwords are often hashed and stored in a database, but a password hash is not plaintext. Having the hash does not give an attacker the user’s password. Stealing hashes is often the first step in brute-forcing a password value, and with a list of hashes, an attacker can iterate through dictionary terms or characters until the hash matches.

An attacker needs a list of accounts before using a brute force attack to identify passwords. Phishing is often used to gather accounts and can also give attackers passwords. When attackers have a list of hashes or encrypted password values, they need brute force to determine their corresponding plaintext password values. How a brute force attack is carried out depends on the types of passwords.

When an attacker has a list of password hashes, performing a dictionary attack is expected. The attacker takes a list of common password values and dictionary terms and iterates through them, hashing them and comparing them to stolen hash values. If a match is found, then the attacker obtains the plaintext password. It should be noted that most organizations use a salt value with each password to avoid brute-force password cracking. A salt is a string of characters added to the password during password creation. If the salt is unknown, all hashed values from brute force attacks will not return the hash stored in a database.

Most passwords don’t use encryption, but some critical values can be stored in encrypted form. Decrypting values requires a key, so an attacker must brute force the key to obtain encrypted values. The decryption key will reveal all password values encrypted with the key, so an attacker only needs to crack the key. With the key, an attacker would have access to all passwords, which is why hashed passwords are preferred over encrypted values with a single key.

Having credentials to access sensitive data gives attackers access to identity theft potential and the ability to steal data for future attacks. Having salt values stored separately is one way to stop brute forcing. Dictionary attacks will only reveal the hashed value if the attacker has the salt to go with the hashing iterations. (Salting is a concept that typically pertains to password hashing. Essentially, it's a unique value that can be added to the end of the password to create a different hash value.)

It’s not common for organizations to store passwords with an encryption key, but brute force is often used to determine keys to decrypt sensitive data. Keep the encryption key safe to avoid having it stolen and brute forced.

Users can protect themselves by enabling two-factor authentication (2FA) on their accounts. Should an attacker brute force their passwords, the attacker would not be able to access an account with the cracked password alone. 2FA requires a secondary method to access an account, and users can protect their accounts even when they are unknowingly compromised.

Learn More

Related Terms

• Encryption
• Phishing
• Access Control List (ACL)

Further Reading

• Phishing Attack Examples and how to Prevent Them
• Complete Network Security Checklist
• Multi-Layered Approach to Phishing Protection

How Can TitanHQ Help?

TitanHQ offers various solutions to protect against bruce force attacks:

• Email Security Solution: By filtering out phishing attempts, SpamTitan lowers the likelihood of attackers gathering credentials needed for brute-force attempts.
• Web Security Solution: Blocks risky websites, reducing exposure to brute force attempts by preventing employees from inadvertently visiting harmful sites designed to compromise credentials.
• Security Awareness Training Solution: TitanHQ's Security Awareness Training Solution educates users on strong password practices and two-factor authentication (2FA) usage, reducing the risk associated with brute-force vulnerabilities.