A brute force attack is a type of attack in which the perpetrator aims to gain unauthorized access to accounts, systems, and/or networks by repeatedly submitting different combinations of login credentials until the correct one is guessed. It should be noted that white DoS and DDoS attacks also use a lot of requests, they differ in overall goals when compared to a brute force attack. In the case of DoS and DDoS, the goal is to make the server inaccessible, whereas with a brute force attack the goal is to gain access to the server.
Different types of brute force attacks
There are different ways of performing brute force attacks, all sharing the end goal of unauthorized access. Unfortunately, in order to simplify the process, perpetrators can use tools and software that helps them guess credentials faster.
Simple brute force attack
In the case of a simple brute force attack, the perpetrator is not using any software in the “trial and error” process of guessing the correct login credential combinations. They are doing so manually, and are successful usually when the password is a weak or obvious one, or is used for many different accounts.
A dictionary attack is when the perpetrator chooses a target and continues to test different passwords for the username. The name comes from the method of going through dictionaries to try out common words, or using those words with simple modifications. As this method is time consuming, it is not as common or effective.
Hybrid brute force attack
A hybrid brute force attack combines a simple brute force attack and a dictionary attack. In this case the perpetrator knows the username needed, and follows through with both dictionary and simple brute force attack methods to gain account access. This type of brute force attack is most effective with passwords that combine common words with simple numbers.
Reverse brute force attack
A reverse brute force attack is when the perpetrator begins the hacking process knowing the password of an account rather than the username. In this case, the password is used to identify its matching username by searching through lists or databases of usernames.
Credential stuffing is when the perpetrator already has a username and password combination, and uses the same credentials on other websites. This is of course used to target those who repeat passwords across various accounts.
How to prevent brute force attacks?
The following are the easiest ways in which brute force attack—in all its forms, can be prevented.
Strong password etiquette
Make sure to use complex passwords that are devoid of personal and easy-to-guess information. Instead, make them long (at least 15 characters), use spaces and characters, including numbers, symbols, and letters in both uppercase and lowercase. Beyond the complexity of a password, strong etiquette includes not using the same password for multiple accounts. The more random it appears, the better. It’s also important to actually remember your passwords, especially if you follow step 2 (limiting login attempts). You can use password managers for generating random, strong, and secure passwords, and storing them. For site owners, make sure to enforce the practice of using strong passwords by not allowing site users to use weak passwords. A WordPress security plugin like iThemes Security is a great way to force the use of strong passwords.
Limit login attempts
Some accounts allow unlimited login attempts, a dream come true for brute force attackers. You can implement a limit on login attempts—for example, 5, after which a user’s IP address will be temporarily banned from attempting to login. As long as you have a way to remember all of your passwords (there are websites like 1Password or BitWarden that do this), it should not be an issue.
Implement two-factor authentication
In addition to strengthening your passwords, two-factor authentication (2FA) will add another level of protection to your account. In order to login, a user would need to validate their identity after submitting login credentials. In most cases, a unique code would be sent to your cell phone or email address that would need to be inputted. There is also another type of 2FA, where there is no code sent, thus not causing any additional load on the server. Time-based One-Time Password (TOTP) or other solutions that use token generators such as Google Authenticator are good options in this regard.