Users with simple and short passwords are the main target of hackers using the brute force method or, in other words, brute force. This rather simple method of hacking often brings results and theoretically allows you to get a password from an account on any service or portal if it is not sufficiently protected.
The danger of brute force
“Brute force” is translated from English as “brute force”, which describes the essence of a brute force attack. During it, all possible password options are selected and this lasts until it is possible to guess it. However, guessing really complex passwords can take several years, which is unlikely to be done by anyone. Therefore, they can almost 100% protect you from successful brute force attempts.
Brute-force attacks are easy to attack with passwords consisting of simple combinations of characters located next to each other on the keyboard. It can be a series of numbers (“123456”) or combinations of letters (“qwerty”). Weak passwords also include those that represent a date (“18051991”) or a meaningful word, especially “admin” and “password”. Even if you choose a Russian word typed with the English layout (“gfhjkm”) as a password, it can also be guessed.
It may take only 2-3 hours to hack an account with a medium password. The simpler the password, the faster the attack will reach its goal. To enumerate passwords, special software is used, which is either created by cybercriminals themselves or borrowed from their colleagues. And previously hacked computers and servers are used as capacities – and, perhaps, they were also hacked with the help of brute force.
An account with a calculated password can be used not only to hack new accounts, but also to send spam. And if we are talking about the account of the site administrator, but after it is hacked, attackers can place malicious code on the site. In addition, the brute force method is used to gain access to secret files or confidential user information.
Brute force protection
Modern systems have fairly reliable ways to protect against brute force attacks on accounts. Limiting login attempts helps to effectively deal with them: for example, if a user typed the wrong login-password pair three times in a row, he will be able to make the next attempt only after 15 minutes. It is also not uncommon for a failed login attempt to prompt the user to complete a captcha , which password cracking malware is unlikely to be able to do.
Two-factor authentication is also widely used. When using it, the user is asked to enter not only a username and password, but also, for example, a code that is sent to his phone number. By the way, we have implemented our own two-factor authentication mechanism using the ” Brutus ” application. Also, for additional confirmation of the user’s identity, the device from which the login is made and the location of the user are taken into account.
However, some systems and applications may not have such safeguards. And then a brute-force attack can be easily carried out, and fixing it is usually not easy. The site administrator should be alerted when an unknown user from the same IP address starts persistently trying to log into the system. You can track this, first of all, with the help of log files. But it is better to make sure that this does not happen at all.
Limit the number of login attempts on your site, use captcha, implement two-factor authentication. And to keep your own accounts safe, use complex passwords of letters, numbers, and symbols. To create such passwords, there are special generators, and password managers can be used to store them securely. And remember to change your passwords at least once a year.