What is a brute force attack?

One of the least advanced but most successful techniques used by hackers to break into a network, a brute force attack is achieved by employing a trial-and-error method of entering different username and password combinations with an automated tool or bot until access is granted. Once they've infiltrated the network, hackers steal data, install malware, or even shut the system down.

Types of brute force attacks

Credential stuffing: Attackers use known credentials such as email addresses and passwords that have been previously leaked in breaches from other organizations to log in to the network. Since users tend to reuse the same credentials in different services or applications, this mode is often successful.

Reverse brute force attack: In this type of attack, the hacker tries a commonly used password and attempts to log in with different usernames.

Dictionary attack: In this attack, the hacker will enter phrases or well-known words in the dictionary as passwords. These are usually words like "password," "admin," or "welcome."

How to protect yourself from brute force attacks

• Enforce robust password policies so passwords are difficult to guess. Passwords that are a combination of numbers, letters, and special characters are most difficult to guess. Besides these, you can also restrict users from having their username in the password.
• Implement two-factor authentication (2FA) as an additional layer of security.
• Limit login attempts for a specific time frame or by a certain amount. If an attempt goes beyond the specified limit, the account should be locked out for a fixed amount of time, or the IP address sending the repeated requests should be blocked.
• Don't use the same passwords for different services. If a particular service is compromised, the attackers can reuse the same credentials to access other services.
• Introduce CAPTCHA which requires users to identify a pattern of letters and numbers or images during the login process.

Notable brute force attacks

Here are some well-known brute force attacks that have happened in the past few years:

Wordpress

In April 2013, WordPress was the target of brute force attacks from 90,000 IP addresses. The attackers attempted to access admin accounts by keying in different weak passwords. Users were asked to refrain from using weak passwords and to set up robust passwords instead.

GitHub

In 2013, GitHub became a victim of a brute force attack. The hackers used 40,000 unique IP addresses to force their way into accounts with weak passwords or passwords used in more than one account. After the attack, GitHub took steps to ban weak passwords for all accounts by enforcing more robust password requirements.

Alibaba

In 2015, Alibaba's e-commerce platform TaoBao suffered a massive brute force attack. Hackers accessed around 99 million credentials leaked from another breach, and about 21 million accounts were affected in this breach due to users generally using the same credentials for different accounts.