The average person has roughly 100 passwords. That's way too many to memorize, so—despite continuous warnings from cybersecurity experts—many simply reuse the same one or two passwords. However, doing this elevates your risk of having an account compromised during a brute force attack.
The computer programs used by threat actors during brute force attacks can guess between 10,000 and 1 billion passwords per second. All it takes is one correct guess, and all the accounts that use that same password could easily become compromised as well.
The good news is there are some steps you can take to protect yourself from brute force attacks. We cover these below, but first, a closer look at this attack tactic.
What is a brute force attack?
A brute force attack is one method cybercriminals use to gain access to accounts, networks, data, and other resources protected by passwords. It involves attempting to log in to accounts with many password combinations, in hopes of eventually finding the right string of letters and numbers.
These attacks are called "brute force" because the attacker has no specialized knowledge about your password. They're simply trying as many combinations as it takes to guess it.
This differs from phishing and social engineering attacks, which attempt to discover your password before trying to log in to your accounts.
The impact of brute force attacks
Brute force attacks are a serious risk for individuals and companies alike. Dunkin' Donuts, for example, was the victim of a successful brute force attack that gave hackers access to nearly 20,000 user accounts. The attackers used this access to steal money from Dunkin's impacted customers. As a result, the company was on the hook for $650,000 in penalties.
There's also reputational damage to consider. Businesses that experience a serious data breach may face a crisis of confidence among customers, which could easily lead to lost business and revenue.
Consider also that a successful brute force attack doesn't always stop there. It could be the first step in a series, allowing the threat actor to potentially launch more devastating attacks.
Common types of brute force attacks
The first step in protecting yourself from brute force attacks is recognizing the different ways cybercriminals use them.
While there are slightly different versions of attack methods, there is one key tactic found in all brute force attacks: password guessing.
A "simple brute force attack," as it's often called in the industry, involves attempting to guess a number of simple passwords quickly. For example, an attacker might try every combination of a user's name with a few numbers after it, such as Nate123, Nate987, etc. These simple brute force attacks can be performed automatically using scripts or done manually.
Sometimes a dictionary of common words, phrases, and number combinations is used for the attack. This is called a dictionary brute force attack and tends to be automated, with many different possible combinations of words used in hopes of finding a match. This kind of attack is why cybersecurity experts often recommend not using common words and phrases in your passwords, (think: password, admin, and welcome) as it would put you at increased risk during a dictionary-style brute force attack.
A variation of the dictionary attack is password spraying. This type of brute force attack involves trying several common passwords, and "spraying" them across many accounts. In other words, the hackers take passwords they know are commonly used and try to find the accounts that use them.
Credential stuffing
Credential stuffing is a subset of brute force attacks. Think of it as a more educated guess. It occurs after a username and password combination has been stolen successfully, and then trying that combination again across all the websites and tools the account holder may use.
For example, if someone successfully guesses your Netflix password, they may try the same combination on Gmail, Amazon, and other sites with potentially more confidential data, such as credit card information.
This attack thrives off the fact that many people use the same passwords across multiple sites.
What's more, credential stuffing can be difficult to identify since hackers use legitimate login credentials. If you become the victim of credential stuffing, a hacker could potentially have access to your account for a lengthy period of time without your knowledge.
How to protect yourself from brute force attacks
Now that you know how brute force attacks happen and what they might look like, the next step is to follow best practices that help defend against them. An easy place to start that you can do right now: set up multifactor authentication wherever you can.
Implement multifactor authentication
Some experts estimate that multifactor authentication (MFA) can stop up to 90% of cyberattacks. MFA secures your accounts by adding an extra layer of independent protection.
For example, you can download a multifactor authentication app on your phone and connect it to your email address. Each time you log in to your email account, you would need to enter a code from the app to do so instead of the single step of inputting your password.
The advantage of MFA is that it requires a hacker to breach two independent accounts in order to gain access to the account you want to protect. In the example above, that would mean compromising both your email account password and the log in information for your MFA app.
Limit login attempts
When you're targeted by a brute force attack, it can take hundreds of thousands, millions, or even billions of login attempts before the hacker successfully guesses your password. It won't be possible for a cybercriminal to complete that process if you limit the number of login attempts.
This means shutting down access to an account after a certain number of incorrect logins are attempted. To restore access to the account, the person will need to either wait a certain amount of time or contact a network administrator.
Locking down accounts like this will give your cybersecurity resources time to identify and respond to the threat before it can burrow into your systems. You can also choose your own rules for restoring access to accounts, so an employee who makes an honest mistake won't be locked out of their account for very long.
Use a password manager
Password managers can be another effective tool in your arsenal against brute force attacks. They help you create and store hard-to-guess passwords securely. That way, your passwords are more resistant to brute force attacks, and you don't have to worry about remembering them entirely on your own.
Don't forget, brute force attackers randomly guess different potential passwords in the hopes of eventually finding yours. This becomes an exponentially more time-consuming task as you increase the complexity of your passwords. Eventually, the attacker may decide accessing your account isn't worth the trouble and may move on to an easier target.
Follow the best practices for passwords
Speaking of passwords, don't forget to use good security practices when managing them. This means:
- Not reusing the same password across multiple accounts
- Making your passwords more than several characters long
- Not using common dictionary words in your passwords
It's also important to know and respond accordingly if any platforms you use experience a breach. They'll usually let you know if this has happened. If you get a notification detailing a recent breach, it's a good idea to change your password quickly. Acting fast could be the difference between whether a potential brute force attack succeeds or fails.
Encourage employees to report suspicious login alerts
You can encourage employees to monitor their accounts for suspicious login attempts by training them on what to look for and to alert managers when suspicious login attempts occur on business accounts.
In some cases, these notifications can be phishing attempts. But even if they aren't, it's best to get an experienced IT or security professional involved just to be safe.
Put a threat monitoring, detection, and response solution in place
Perhaps the most effective way to thwart brute force attacks is to quickly identify them when they're happening. To do that, you need to watch over your company's network, cloud-based services, and devices around the clock.
This is exceedingly difficult to do on your own, as it demands significant resources. A better solution may be to leverage the power of a holistic cybersecurity solution.
Field Effect's Covalence solution offers real-time monitoring for your network, cloud apps, and endpoints to detect and respond the moment a suspicious login attempt occurs, among a wide range of other cyber threats. You get the real-time monitoring you need to avoid brute force attacks, even if it happens in the middle of the night.
Want to learn more? Check out our brand new Covalence demo video to see our security solutions in action.
