Brute Force Attack Definition

What is a Brute Force Attack?

A brute force attack is a method used by hackers or cybercriminals to breach a network or encrypted data by systematically trying all possible combinations of passwords or encryption keys until the correct one is guessed. True to its name, these attacks rely on the sheer computing power and speed of modern computers to bypass security measures.

A brute force attack is the only type of attack that is guaranteed to succeed….eventually. However, a well-designed and secure system will ensure that a successful brute force attack takes too long or too many resources to be feasible.

How Does a Brute Force Attack Work?

A brute force attack involves trying every possible value for a password, private key, or similar value until the attacker finds the right one. Since the password or key exists, it’s guaranteed that the attack will succeed at some point, but, ideally, it will take a while.

For this reason, most brute force attacks are automated, enabling them to run much faster than a manual attack. The automated software used by the brute force attacker systematically tries different combinations, starting from the simplest and most commonly used passwords, such as “123456” or “password,” gradually progressing to more complex combinations until they gain entry.

A brute force attack doesn’t rely on any specific knowledge about the target system or encryption algorithm. Instead, all the attacker needs is the ability to try a large number of possibilities quickly. These attacks can succeed if the targeted system has weak security measures.

When Can Brute Force Succeed?

If a password-based authentication system or encryption algorithm is designed, implemented, and used properly, a brute force attack is a hopeless technique. For example, a random 14-character password consisting of uppercase and lowercase letters, numbers, and symbols will take centuries to crack. Writing the time it takes to brute force a random encryption key requires the use of exponents.

That said, brute force is still a common attack vector. The reason for this is that many security systems aren’t designed, implemented, and used properly. Some common mistakes that make brute force attacks feasible include:

• Weak Passwords: A strong password is long, random, and complex. Using too short of a password or one that isn’t randomly generated makes it feasible for an attacker to brute force it in a reasonable amount of time.
• Derived Keys: In some cases, users may generate cryptographic keys by hashing a word or phrase since hashes and encryption keys are often the same length. However, this makes it much easier for an attacker to search the space of potential keys since it is limited to common words and phrases rather than a massive number of random values.
• Poor Random Number Generation: Computers are bad at randomness, so most “random” numbers are created using pseudorandom number generators (PRNGs) that are seeded with a “random” value. The use of a weak PRNG or a weak seed — such as the system time when the algorithm is run — dramatically reduces the range of values that an attacker needs to check.

Protecting Against Brute Force Attacks

Brute force is only feasible if an encryption or authentication system is used incorrectly. Some best practices for protecting against these attacks include:

• Random Generation: Always generate passwords, encryption keys, and similar values using a cryptographically-secure PRNG. This forces the attacker to search the full range of possible values.
• Password Policies: Require passwords to be of a certain length and contain a range of characters (letters, numbers, symbols, etc). Each character of password length increases the space that an attacker needs to search exponentially.
• Key Rotation: Perform password and key rotation on a regular basis. This way, by the time an attacker can brute force a key, it’s no longer valid.

Conclusion

Brute force attacks are only feasible if something has gone wrong with the design, implementation, or use of an authentication or encryption system. Implementing and enforcing strong security policies and best practices can make these attacks infeasible.