+5 votes
in Security by (242k points)
Brute Force: when passwords are served on a silver platter

1 Answer

+3 votes
by (1.6m points)
Best answer

What exactly is brute force?
Why shouldn't you take brute force attacks lightly?
How to protect yourself from these attacks?
Join forces to fight brute force


Brute Force: when passwords are served on a silver platter

Although Apple never officially confirmed it, it is assumed that in 2014 the tech giant was the victim of a small, but disastrous, security breach in its iCloud storage service. There are reasons to suppose that the lack of protection against brute force attacks allowed the theft of private photos of various celebrities, a fact that was enough for Apple, shortly after the attacks, to implement protection measures. Since then, the security mechanism has been that users have a maximum of ten attempts to enter their password ; if not, the account is blocked and the account holder is notified. Before the photos were leaked, there was no limit to entering incorrect passwords, so designing a brute force attack was only a matter of time..

What exactly is brute force?

The term brute force translates to brute force and refers to a method of solving problems in the fields of computer science, cryptography, and game theory. The brute force method receives this name because it is based on trying all the possible solutions or many of them , being also known as exhaustive search and used, especially, when there are no other algorithms available. This technique is used by hackers to crack passwords and thus gain access to external data. For this, a software with a simple algorithm is used that performs the succession of various combinations of characters composed of digits, spaces and letters up to a defined maximum length.

The shorter the passwords, the faster they will be discovered by brute force. This is why, in general, it is always recommended to use passwords that include different characters, and why most password encryption systems use very long keys. As the technical requirements for brute force attacks are increasingly easy to achieve, it is possible to make a greater number of attempts per unit of time , which makes a protection system against so-called brute force attacks a necessity..

Why shouldn't you take brute force attacks lightly?

Given the primitive nature of the method, one would expect appropriate security measures to be applied, unfortunately this is not always the case. Potentially, any system connected to the Internet can be compromised by these attacks . Once a hacker has gone unnoticed and hooked into a system (something that can happen faster than you think) cracking your passwords won't be difficult. Most operating systems run files and databases where user IDs and passwords are stored. For example, on Windows systems, the passwords are in the file. sam and on unixoid systems in the. psswd or. shadow .

Although the passwords in these files are not in text format, as they have been previously encoded using cryptographic algorithms, the attacker can access the files if they are not protected against unauthorized access. It can create a copy of the file and execute different brute force attacks on it without having to maintain the connection with the system. Currently, in principle, there are only three variables that make it easier for the attacker to fulfill his mission:

  • The duration of each verification step
  • The length of the password
  • The complexity of the password

The duration of each verification step, that is, the time used for the attempt with each possible password, depends on the computing power that the attacker has at his disposal. The higher the power, the faster the succession of the attempts. The length and complexity determine the number of possible character combinations that can make up a password and, therefore, the number of options that must be used during the brute force attack. Here's an example of how password length and complexity affect duration:

Number of characters 26 characters 72 characters
Character type Lowercase Upper and lower case, special characters, numbers
Maximum password length 8 characters 8 characters
Possible combinations Approx. 209 million Approx. 722 billion
Computing power Approx. 100 million hash functions per second Approx. 100 million hash functions per second
Length of the exhaustive search Approx. 35 minutes Approx. 83 days

The table shows that, with a simple password and using 26 characters, a modern PC would check all possible combinations in just 35 minutes . If the sequence extends to 72 characters, with the same computing power, the brute force method would take about 83 days to complete. However, it should not be trusted, as cracking methods such as the dictionary attack (combinations of words) or the use of rainbow tables (contiguous sequences of passwords) can speed up the duration of a brute force attack..

How to protect yourself from these attacks?

Regardless of whether a brute force attack targets a system's central password file or, as in the case of iCloud, the attacker has the victim's Apple ID, the precedents prove the importance of protecting themselves from this pervasive method. to crack passwords. In general, most users know the basic principles for creating strong passwords : combinations consisting of different types of characters should be used; in the best case, upper and lower case letters are used, as well as numbers and special characters . And of course, the longer the password, the harder it will be to hack.

The scenario for creating passwords for online services is a bit more complicated, as it is subject to the conditions set by the provider. Typical requirements are a maximum length of eight to ten characters and often a limited number of letters and numbers , which is not very satisfactory without the additional security measures. In these cases it is necessary that you are aware of the precautions and measures of the web project operators with regard to brute force attacks. If you are the administrator of a website with a login mechanism, all this responsibility will fall on your shoulders. For this you have two possible approaches:

  • Ensuring protection of the password mechanism
  • Establish a multi-factor authentication method

Protecting the password mechanism should be a standard component in access masks, however, as the aforementioned iCloud scandal shows, this is not always the case. This protection process refers to implementing strategies that make it difficult for the brute force software to work. Thus, in case the user or attacker enters an incorrect password, the option to enter another password will appear only after a short period of time . It is also possible to increase the wait time as the number of unsuccessful attempts increases. To go a step further, as Apple did after the attack, it is possible to completely lock the user's account after a certain number of registration attempts .

Multi-factor authentication methods are often offered as an option by many providers. With these, you are making the registration process a little more difficult, because in addition to the password, it is necessary for the user to enter an additional component. This component can be the answer to a secret question, a PIN or a so-called captcha . The latter are small tests that will allow the notifying authority to determine whether it is a human user or, as is typical in brute force attacks, a robot.

Join forces to fight brute force

In addition to the measures mentioned above, there are some additional tricks to prevent brute force attacks. In general, all brute force software works with different identification patterns, which becomes an obstacle, for example, when standard error messages are not sent back to the browser, but diverted to an external system (p. e.g. to another web page). Another factor that can cause problems for some hacking tools is using different names for the fields and texts that appear after a failed login attempt. In any case, if you want to increase the security of your website and your passwords, it is always advisable to implement, at the same time, several protection measures against brute force attacks.

For some platforms and applications there are specific plugins or extensions to prevent brute force attacks. The Jetpack add-on, which, in principle, facilitates the administration of web pages in WordPress, has integrated, for example, a module to prevent dangerous attacks that is based on a list of blocked IP addresses. The IP addresses collected in this list are related in some way to all the brute force attacks carried out on WordPress websites.