Let’s say you want to log into your favorite casino site to play slots online for money after a tough workday. But wait, your password is rejected, and you cannot log in. When you switch to the mobile casino online site of the same operator, you have the same problem: your account password has been changed. How could this have happened? Since you have not shared your password with anyone, how can an attacker find it? Well, you may have been the victim of a Brute Force attack. This attack is a real threat, especially for internet users using simple passwords. So, what is a brute force attack and how is it done? More importantly, how can you protect yourself from it? We answer all these questions below.
What Is a Brute Force Attack?
Brute Force is a form of digital and cryptography attack to hijack a password. Most cyber-attacks require the attacker to have certain information about the “target.” This is not the case with Brute Force: the attacker knows nothing about the target and simply keeps trying certain passwords to find the correct one. In this attack, a list of passwords is prepared, which contains the most commonly used passwords such as 12345678 and 987654321. Later, these passwords are tried over and over again with the help of specialized software in order to log into a specific online account. The software stops the attempts as soon as the correct password is found and informs the attacker.
In theory, every Brute Force attack will eventually be successful. However, when the attack will be successful depends on the length of the password list, the power of the computer used for the attack and the measures taken by the target. For example:
- There are 52 million 521 thousand 875 combinations for a 5-digit password consisting of letters in the A-Z range and numbers 0-9. Even if software is used, there will be a certain limit on the number of passwords that can be tried per second. Considering that a single password is tried every second, it will take 52,521,875 seconds (14,589 hours) to crack this password. Brute Force software will reduce this time by trying the most frequently used passwords first, and a botnet can also be used for this attack, so it is possible to shorten the time by using hundreds of bot computers at the same time. In any case, each password will take some time to crack, and the attacker should remain undetected during that time.
- Most online services now block IP addresses when a certain number of incorrect passwords are entered, meaning they do not allow multiple consecutive attempts. Although this feature is sufficient to prevent simple attacks, it is still not a real solution against Brute Force attacks using botnets.
- There are encryption protocols that are physically completely safe from Brute Force attacks. For example, 128-bit symmetric key encryption is considered impossible to break with such an attack. The reason for this is that, if we explain without going into technical details, the energy required to break such a code is equal to 0.1% of the world’s energy production. With the existing power grids, it is not possible for a single device to use such power.
However, don’t think you are mostly safe just because some measures are taken by websites and some protocols seem to be immune to attacks: Brute Force is still a real danger for the end-user, as the vast majority of the population uses fairly simple passwords. With a Brute Force attack, you cannot hijack an intelligence agency’s website, but you can control all social media accounts of an ordinary user, for example.
How to Prevent a Brute Force Attack?
In fact, there is an amazingly simple way to completely protect yourself from a Brute Force attack – using a long and complex password. If you use a 20-digit password consisting of lowercase and uppercase alphabetic characters, numbers and symbols, you are almost completely safe from Brute Force attacks. Theoretically, this password can still be cracked, but it will take a lot of resources and time to do so. No self-respecting hacker will take this much trouble to hack an ordinary user’s accounts.
To be more secure, you need to use a different 20-digit password for each online service. The most common mistake internet users make is to use the same password for every service. This is a much bigger problem than expected: if the password you use in a forum that does not take adequate security measures is hacked, it means that all your online accounts have been hacked. Therefore, try to use a different password for each service. Remembering all of these will, of course, be difficult, so you might want to use a service that creates and stores secure passwords for you. Lastpass, for example, is one of the reliable browser extensions that offer such a service.
One of the precautions you can take as an end-user is to use double factor identification. In other words, to log into a certain service, you must use both your password and a one-time password: the service you use must support this feature. If it supports it, activate it immediately: authenticator applications that you can use for free will make your accounts much more secure. In this case, even if your original password is revealed, the attack will fail because the attacker cannot impersonate the authentication code.