A brute force attack systematically attempts possible combinations of characters or numbers to guess passwords or usernames and gain unauthorized account access.
A brute-force attack is an attempt to discover a password by systematically trying combinations of letters, numbers, and symbols to pass through authentication and authorization controls, often employing a dictionary of words and tactics such as password spraying.
The logic behind brute force attacks—also called password cracking—is very simple: enter all possible password patterns. For example, if you use a four-digit PIN as your password (passcode), you will eventually arrive at the correct answer by trying all 10,000 combinations from "0000" to "9999." It would be difficult for a human to try this manually, but it is painless to do it using automated tools. If you can try one password every second, you can figure out the password in at most 10,000 seconds (about 2 hours and 47 minutes). Though brute force attacks are not a particularly sophisticated form of cyberattack, they remain persistent due to their effectiveness against weak passwords and poorly secured systems, and because automated toolkits make the economics of scaling and executing them attractive to attackers.
Brute force attacks can take multiple forms. Simple brute force attacks involve systematically trying every possible combination of numbers or characters until the correct one is found. This method can be time-consuming and resource-intensive, especially for longer or more complex passwords or passphrases.
A more focused technique is the dictionary attack, which relies on a predefined list of possible passwords or phrases. Instead of trying every possible combination of numbers or characters as in a traditional brute force attack, the attacker systematically tries each word or phrase in a dictionary until the correct one is identified. While dictionary attacks are faster than simple brute force attacks, they are still susceptible to failure if the password is sufficiently complex, makes use of special characters, or is not included in the dictionary being used. In addition, using a dictionary attack on the same login prompt will quickly trigger rate limiting and account lockout controls.
Hybrid brute force attacks combine elements of both dictionary attacks and simple brute force attacks. In a hybrid attack, the attacker will employ a set of random characters as in a traditional brute force attack and also a list of common words and phrases like a dictionary attack. This hybrid approach increases the likelihood of success by leveraging both common passwords from the dictionary and less predictable combinations of characters.
Another form of attack is the reverse brute force attack. Instead of trying a succession of various passwords for a specific account, attackers apply specific passwords that they believe might be commonly used (such as “password1234”) against large numbers of account usernames. This method relies on the assumption that at least some of the targeted accounts use the chosen password and is less likely to trigger mitigations based on the number of failed login attempts.
While credential stuffing is not usually considered a form of brute force attack (the attacker already has a known list of usernames and passwords), it shares the objective of gaining unauthorized access to accounts, often followed by account takeover (ATO) and fraud. Credential stuffing relies on automated scripts or tools to rapidly apply large sets of compromised credentials, such as username/password combinations obtained from previous data breaches or the dark web, on various online logins forms. While credential stuffing doesn't involve the exhaustive testing of all possible combinations like brute force attacks, it's still an automated method for attempting unauthorized access, making it a significant security threat. Both types of attacks are considered top risks in the OWASP Top 10 and OWASP Automated Threats projects.
Weak or broken authentication is another means of entry for brute force attackers. Some authentication systems do not implement lockout or throttling mechanisms, which limit the number of login attempts within a certain time period. Without these safeguards, attackers can repeatedly attempt to guess passwords without any restrictions, increasing the likelihood of a successful brute force attack.
Brute force attacks may also be employed to guess session IDs or exploit weaknesses in session management mechanisms to acquire or hijack valid session IDs. Once an attacker obtains a valid session ID, they can use it to impersonate the authenticated user and gain unauthorized access to protected resources.
The motives that impel hackers to engage in brute force attacks can vary widely, but they generally involve gaining unauthorized access to systems, networks, or accounts for malicious purposes.
Some common motives include monetary gain, as when attackers may seek to steal financial information, such as credit card numbers or banking credentials, to commit fraud or theft. They may also target access to personal identifiable information (PII), intellectual property, or confidential business data, which can be sold. Attackers can also obtain access to personal accounts to impersonate individuals and engage in fraudulent activities.
Criminals can also hijack systems for other forms of malicious behavior, such as organizing a botnet, which is a network of devices under the control of an attacker who coordinates these multiple sources and launches distributed denial-of-service (DDoS) attacks.
Unauthorized access to systems and accounts via brute force attacks can also spread malware or spyware, or target websites with attacks that infest them with obscene or offensive text and images, threatening the reputation of a company or website. Hackers can also use brute force attacks to exploit ads or activity data, using unauthorized access to place spam ads on websites to gain advertising commissions or reroute traffic from an intended website to a malicious site to steal credentials or defraud users.
There are several ways to lessen the risk of brute force attacks, and implementing multiple of the following measures will make it more challenging for attackers to guess passwords or gain unauthorized access through repeated login attempts. These include:
The OWASP (Open Worldwide Application Security Project) Automated Threats to Web Applications Project identifies brute force attacks as a type of credential cracking attack (OAT-007). F5 offers solutions to address many of OWASP’s automated risks. F5 Distributed Cloud Bot Defense deters bots and malicious automation to prevent ATO and the resultant fraud and abuse that can bypass existing bot management solutions. Distributed Cloud Bot Defense provides real-time monitoring and intelligence as well as ML-based retrospective analysis to protect organizations from automated attacks, including those that employ brute force techniques.
F5 Web Application Firewall (WAF) solutions also block and mitigate a broad spectrum of risks identified by OWASP. F5 WAF solutions combine signature and behavioral protections, including threat intelligence from F5 Labs and ML-based security, to keep pace with emerging threats. To prevent brute force attacks, WAF tracks the number of failed attempts to reach the configured login URLs. When brute force patterns are detected, the WAF policy considers them to be an attack if the failed logon rate increased significantly or if failed logins reached a maximum threshold.
F5 WAF solutions integrate with F5 bot defense solutions to provide robust mitigation for top security risks including vulnerability exploits and automated brute force attacks.
INFOGRAPHIC
The OWASP Top 10 for 2021: A New Wave of Risk ›
TECHNICAL ARTICLE
Bots, Fraud, and the OWASP Automated Threats Project (Overview) ›
TECHNICAL DOCUMENT
Overview: Brute Force Protection ›