How brute force password attacks work

There are plenty of terms within cybersecurity that should scare you, primarily because the meanings behind them are so threatening — things like phishing and vulnerabilities. Yet, because the words that make up these terms don’t seem dangerous, many people ignore the issues, leaving themselves open to attack.

Meanwhile, too many everyday device users are more distracted by terms that seem frightening but aren’t all that significant in terms of risk. A prime example of this is the brute force attack, which seems like an enormous and insurmountable cyber threat that everyone should fear. In truth, brute force attacks are threats — but they aren’t likely to happen to you. Here’s what you really need to know about brute force attacks, so you can focus on issues more likely to harm your digital assets.

The anatomy of a brute force attack

A brute force attack begins with an attacker choosing their target. The target for a brute force attack isn’t necessarily a person or device; rather, it is an encrypted file or login-protected account that likely contains valuable data and is seemingly otherwise inaccessible to the attacker. Once a target is determined, the attacker utilizes a software tool programmed to cycle through potential username and password combinations. Eventually, the program identifies the correct combination, and the attacker gains access to the sensitive information.

This is more effective than you might think, largely because so many people use weak passwords that are easy for brute force programs to guess. Often, brute force tools are programmed to try common passwords, like “password” and “12345678” first; then, they move onto dictionary words and common modifications, like using zeros for Os and fours for As, as well as common names or dates. On average, these programs can attempt over 17 million passwords in a second, meaning if your password isn’t remotely strong, your data will be compromised in a blink of an eye.

A number of major companies as well as governments have fallen victim to brute force attacks in the past. For example, in 2017, Westminster Parliament succumbed to a brute force attack wherein 90 email accounts were infiltrated; in 2018, several Northern Irish Parliament members became victims of a brute force attack. Alibaba, Firefox, Github and other online services have all lost millions of accounts thanks to brute force attacks. But here’s the thing: Just because it happened to them doesn’t mean it will happen to you.

Why you don’t hear much about brute force attacks

A brute force attack can get an attacker into spaces that are otherwise unreachable — but they are expensive, time-intensive and often not as effective as it seems they would be. There are several reasons for this.

 First, it’s important to note that many brute force attacks occur over the web, and most web services have taken steps to ensure that brute force attacks are not successful. For instance, you might remember trying to guess your way into your own account and being thwarted by a message telling you that you only get a certain number of tries per day. This is a measure meant to limit guesses from single IP addresses, which could be brute force attackers. Additionally, dual-factor authentication — which pings your phone or email address for identity verification — stops brute force attacks, unless you use the same username/password combo across all accounts.

Secondly, users are becoming savvier about cyber hygiene, meaning that many people are developing stronger passwords that take more time to crack. Even just lengthening your password by one or two letters can reduce the effectiveness of a brute force attack. While the seven-character “abcdefg” takes .19 milliseconds to crack, eight-character “abcdefgh” requires around 3.5 hours. For this reason, most experts advocate passwords between 12 and 14 characters. What’s more, you can find maximum internet security software equipped with password managers that create and store high-strength passwords for you.

Finally, the only reasons your files or accounts would be the target of a brute force attack are if: a) You run a business, b) you are known to have valuable data, or c) you angered a cyber attacker in some way. The truth is that the average computer user simply isn’t worth the time and hassle of a brute force attack. More often, this time-consuming and resource-heavy attack style is directed against major organizations, which are ripe with valuable information.

“Brute force attack” sounds scary, but the truth is there are way more cybersecurity issues you should worry about first. As long as you are keeping your usernames and passwords complex and, more importantly, secret, you should have nothing to fear from brute force.