Pretty much all of us know that hacking is a common practice. Unfortunately, not all hackers are ethical (e.g.
white hat hackers). A large portion of them are criminals that exploit, steal or do other criminal acts in order to profit or benefit. One of the most common hacking threats are the so-called brute force attacks. In this article, we're going to look at what is a brute force attack, how it works, give you some examples of it and share tips and tricks for protection. Let's begin!
Brute force attacks - a simplified overview
A brute force attack is where a hacker uses an automated system or a bot to guess the credentials (e.g. password or personal identification number (PIN)) of a target individual or organization. The attacker tries various combinations of characters (numbers, letters, and symbols) until they find the right one that gives them access to the account or system. It's all about trial-and-error and isn't linked to sophisticated break-ins, clever hacking, etc. The best brute force attacks can be helped by social engineering. For example, the hacker can know your birthdate and then try and manipulate that information to guess your PIN number. Yet, in the end, they're very straightforward, nevertheless, still dangerous.
Interestingly enough, brute force attacks have been around for a long time. One of the most famous brute force attacks was conducted in the late 1970s against the US National Security Agency (NSA). Two cryptanalysts, Jim Gillogly and Steve O'Mara used brute force methods to break an NSA cipher. They managed to find a key that helped them read a message that was meant to be unreadable. They were the first people to do so and received a lot of media attention for it.
Another famous example of a brute force attack happened in 2017. In that year, a brute force attack was launched against the WordPress content management system (CMS). Over 10,000,000 brute force attacks were conducted per hour during the height of the attack and a whopping 1,000,000,000 sites in total were targeted. The aim was to brute force weak passwords and then use those to access sites and plant malware on them.
The cart shows how serious the attacks were, targeting tens of millions of websites each hour.
Nowadays, brute force attacks are still conducted on a regular basis. They're one of the most common hacking methods as they can be easily conducted by anyone with malicious intent and some basic technical knowledge. Brute force attacks can target individuals, small businesses, and large organizations - anyone can be a victim. It's not a new or innovative solution, but with the right targeting and clever social engineering alongside, brute force attacks can be super effective.
How to protect your personal data from brute force attacks?
Now that we know what brute force attacks are, how they work and some famous examples of them, it's time to focus on the protection part. Here are some tips and tricks on how you can protect your personal data from brute force attacks:
Use strong passwords
: This one is pretty straightforward. The stronger your password is, the harder it will be for someone to brute force it. Avoid using easily guessed words like your name, birthdate, etc., and opt for a mix of letters (upper- and lower-case), numbers, and symbols. Also avoid continuations or sequences like "123456", "ABCDE", etc.
We have a list of the 25 worst passwords of 2022.
Change your password ASAP if it's one of these. You can use special software for password generation and password storage. It can be beneficial to have one difficult password to access a database with all of your accounts rather than 50 accounts, all with the same password.
Use two-factor authentication (2FA/MFA)
: Two-factor authentication is an additional layer of security that can go a long way in protecting your data. In short, 2FA adds an extra step to the login process by asking for a code or to accept a separate confirmation that's sent to your phone or email, further authenticating your identity. This means that even if someone brute forces your password, they won't be able to log in as they don't have access to your phone or email.
2FA/MFA is also widely used for financial operations, especially in the EU. Under current regulations, two-factor authentication is required to prove the authenticity of a request by any two of the three following factors: knowledge/possession/inheritance. Respectively, this can mean PIN codes/passwords, possession of a device, and biometric data. This has drastically reduced the totals of hacking and financial brute force crimes.
Use a VPN
: Another great way to protect your data is by using a VPN. A VPN encrypts your traffic and makes it harder for someone to snoop on what you're doing online. This means that even if someone brute forces their way into your account, they won't be able to see anything as it will all be encrypted. Yet, VPNs aren't totally bulletproof and can be bypassed, so it's important to use other methods of protection as well.
Keep your software up to date
: This is important for a variety of reasons, but brute force attacks are one of them. Outdated (legacy) software often has known vulnerabilities that can be exploited by hackers. By keeping your software up to date, you're patching those vulnerabilities and making it harder for someone to brute force their way into your account.
Take advantage of remote wipe and similar features
: Many apps and platforms these days have remote wipe features that allow you to remotely delete all of the data on a device or an app if it's lost, stolen, or compromised. This can be a lifesaver if your device is brute forced as you can simply wipe it and start fresh. We wrote an entire blog on remote wipe and its benefits for your privacy (
Click here).
How can businesses improve their protection against brute force attacks?
Since we've covered how individuals should better protect their own data, it's also important to shift our attention to businesses as well. Brute force attacks can have devastating consequences for businesses, both small and large. A lot of it is the same as with your personal data, but there are also some different things to do. Here are some tips on how businesses can better protect themselves against brute force attacks:
Invest in a good firewall
: A firewall is a critical piece of security infrastructure for any business. It can help to block brute force attacks by blocking suspicious IP addresses and traffic patterns. Firewalls work by inspecting incoming and outgoing traffic and comparing it against a set of rules that are established by the developer and/or your IT personnel. If the traffic doesn't meet the criteria set in the rules, the firewall will mark it or outright block it.
Use strong passwords and password policies
: This is one of the most important things you can do to protect your business from brute force attacks. By using strong passwords and password policies (such as requiring employees to change their passwords every few months), you make it much harder for hackers to brute force their way into your systems.
Implement two-factor authentication (2FA)
: Two-factor authentication (2FA) is an excellent way to protect your business from brute force attacks. By requiring two forms of identification (such as a password and a code sent to your phone), you make it much harder for hackers to gain access to your account. This is because even if they have your password, they won't be able to access your account without the code.
Monitor your system for brute force attacks
: By monitoring your system for brute force attacks, you can quickly spot suspicious activity and take action to mitigate it. This includes things like monitoring login attempts, IP addresses, and traffic patterns.
What can you do if you know you're facing a brute force attack or was exploited by one?
If you know that right now you're facing brute force attacks or you know that your device has just been brute-forced, there are a few things you can do:
Change your password
: This is the first and most obvious thing you should do. By changing your password, you make it much harder for the hacker to continue exploiting or to return.
Enable two-factor authentication (2FA)
: If you don't already have 2FA enabled, now is the time to do it. By requiring two forms of identification, you make it much harder for hackers to gain access to your account subsequently.
Contact service providers or your IT administrator
: Before panicking or doing something further, hold on a minute. If you know you're under attack or you've been brute forced, the best thing you can do often is simply to contact your service providers or your IT administrator. They'll be able to help you figure out what's going on and how to deal with it. Furthermore, they can address this to other people within your organization or implement patches & fixes to prevent this in the future.
What sites or services do brute force attacks target the most?
There are a variety of sites and services that brute force attacks target the most. Learning your password can be beneficial if you can also obtain access to information or permissions to manipulate, change something or take action.
Email is one of the most common targets of brute force attacks. This is because email accounts can be used as a key to change passwords on other platforms. So, it's like a secret key to your whole vault of personal information. Protecting your email credentials is very important.
Social media accounts are also targets for brute force attacks. Once a hacker has access to personal or business information, they can get financial benefits in exchange for the release of the account or even blackmail you.
Router admin panels are another common target of brute force attacks. This is because they're often left with the default or a weak password. By brute forcing the router admin panel, hackers can gain access to the router's settings and potentially redirect traffic or cut off internet access altogether. This is a sophisticated hack and is hard to defend against by an individual, but organizations need to address this right away.
Finally, WordPress is one of the most popular content management systems (CMS) in the world. Unfortunately, it's also one of the most popular targets of brute force attacks. This is because WordPress websites often have weak passwords and are easy to brute force due to their technical similarities. Hackers can then demand ransom, change the content, harm your business, blog, brand, etc.
Kraden - for private and secure communication that's protected from brute force attacks
We'd like to further address the fact that oftentimes, hackers target your social media accounts. Personal and group conversations on Kraden are private and secure (end-to-end encrypted) by default. Furthermore, every user needs to log in through their own device, meaning that the device has to be stolen.
This means that brute force attacks aren't a bother and with message data being encrypted, even a successful remote or sniffing attack won't be of use since the contents of messages will be unreadable. In addition, Kraden's encryption keys are generated and stored locally on each device, just like your conversation data. So, even if a hacker were to gain access to our servers, they wouldn't be able to brute force their way into your account or message contents. Give it a go to improve communication security.
Conclusion
A brute force attack is a type of hacking where hackers use brute force, or trial and error, to gain access to your account. This can be done by trying different username and password combinations until they find the right one. Once they have access to your account, they can then do whatever they want with it.
You can protect yourself from brute force attacks by using strong passwords, two-factor authentication, and a password manager. You should also contact your service providers or IT administrator if you think you're being brute forced.
Organizations can protect themselves from brute force attacks by implementing patches & fixes, and address this to other people within the organization. Only by implementing strict protocols, having up to date software and constantly happening what's happening with your business will lead to the ultimate security.