The username and password are part of the access credentials for multiple applications, services and resources of all kinds. Just setting weak passwords can even lead to financial losses. Unfortunately, even if we apply all the best user practices, cybercriminals continue to expand and improve their knowledge to violate them in some way. Brute force attacks are one of the easiest to carry out, and at the same time one of the most effective. Although it is not entirely possible to avoid these types of attacks, we recommend you take a look at this guide that will explain what they consist of. In addition, we are going to recommend the measures that all IT support should apply for a more secure management of the passwords of the users of an enterprise network.
What is a brute force attack?
It consists of an attack in which the cybercriminal makes several attempts to guess the username and password of an application or service. You might think that this is an extremely laborious activity, it requires many resources and many hours. In real life, automatic tools are used to carry out this work, making use of automatic scripts and powerful computers with a very good CPU and also GPU to speed up this process as much as possible, and to be able to test all possible combinations of credentials in the shortest possible time. .
We mention the fact that many resources are needed. We refer to computing resources. It would take a long time for a basic personal computer to crack a password if any of the tools that automate brute force attacks were used, as they have millions of credential combinations. Rather, computers should be equipped with the best in terms of CPU, RAM, and also GPU power.
These types of attacks target all kinds of web applications, websites and their related services. On the other hand, APIs and services that use the SSH protocol are also vulnerable. However, this is one of the most essential attacks. It serves as a bridge for many others. Once credential combinations are matched, multiple types of personal data can be accessed. Of course, the most attractive have to do with banking, financial and commercial. Likewise, any type of data that can identify you can be very useful for an attacker to obtain some type of revenue, especially financial revenue.
Brute force attack and phishing
Both individual and business users suffer the havoc caused by phishing. Remember that this consists of the arrival of email messages with malicious content. In many cases, messages arrive that have senders who appear to be lawful and that even the content of the message appears to be. However, a link is clicked and from there, the problems begin. On the other hand, you can come across messages that clearly indicate that they are phishing attempts, either due to the supposed email addresses of the senders or the misspellings of the text of the messages.
Unfortunately, many people don’t pay attention to details like the ones we discussed and end up being victims. They lose data ranging from email access to bank details. The great success of phishing has a lot to do with the fact that user and password credentials are extremely weak. Not surprisingly, these days there are still passwords like “123456”, “tequieromucho” or “qwertyuiop”. One of the reasons why this type of situation occurs is that users in many cases do not want to think much about a strong password or simply think that they will never be victims of phishing or similar attacks.
Brute force attack types
Below we will cite the most common types of brute force attack. From the simplest to carry out to the most complex. The best known method is, of course, the traditional one. The same is that a cybercriminal tries the most number of username and password combinations manually. The number of combinations you could try depends on factors such as the origin of the users you have targeted, the personal data you manage about them, and you can also use dictionary-type programs. The latter facilitate the generation of combinations, saving the time it would take to think of such combinations.
Reverse attack
A type of attack that tends to be very effective, although it does not require much effort is the reverse attack . It consists of testing a few password combinations on large groups of users. Why would you opt for this variant of the brute force attack? From what we discussed above, many users still have very easy to guess passwords. Also, those users who receive or have access to default username and password (for example, Wi-Fi routers) get used to not changing them. That certain time saving that comes from not changing passwords, especially, makes devices vulnerable to attack.
Another situation worth commenting on is those people who use CCTV security cameras. They have a web and / or mobile interface with a specific username and password. Of course, it is advisable to change both the username and the password. However, many people fail to do so and greatly expose malicious people to access and control their cameras. Shodan is a well-known web portal that is characterized by its ease of locating practically any computer that has a public IP address, that is, traceable on the Internet. Precisely, one of the most popular searches consists of security camera management interfaces, especially those that maintain their default access credentials. Of course, this is an invaluable source for any cybercriminal who wants to violate these security systems. Also, many companies and individuals use tools like this for professional and educational purposes. This can even help determine strategies to better protect any findable device on the network of networks.
Rainbow table
It consists of the use of a dictionary in plain text format and which is pre-computerized. In addition, they also use the hash values of each of the pre-computed passwords. So what the attacker does is try to reverse the hash of each of them. Of course, this is much easier to do with special programs and with sufficient computing resources.
Dictionary Attacks
It really isn’t a brute force attack that tests every possible combination, but dictionaries are one of the primary tools for any cybercriminal to execute password cracking attacks. What does it consist on? They are sets of phrases that are generated from certain rules. For example, that the potential passwords are numerical, alphanumeric series or that include different special characters as each password is generated. Wifislax is a popular Wi-Fi network hacking tool, where you can find a complete suite of tools and gain comprehensive knowledge about it. Among the tools available are dictionary generators. We reiterate the fact that these programs can consume many computing resources.
How to effectively protect your accounts
In addition to the typical tips for choosing strong passwords, which do not exactly mean something or give any clue that identifies you and others, it is good to cite the measures to be followed by everyone responsible for managing network users. An interesting best practice is to never store passwords in databases, only the password hash, and if possible, use a password-specific hash.
On the other hand, password creation policies should not be neglected. Not only is it important to raise awareness about the use of strong passwords, but the policies themselves insist with messages on whether the password is strong enough. Also, they must indicate if they are complying with all the rules for creating such passwords. As long as the user wants to log into their work environment within the company or remotely, they must have a limit on the number of attempts for a certain time and, for example, after three attempts it is already blocked login and reset.
If necessary and according to the application, service or resource in which the user is logging in, it is recommended to use CAPTCHA and Multi-Factor authentication methods. This is extremely useful to give guarantees that the legitimate user is the one who is logging in.
