Cyber-Security: Brute Force Attacks A brute-force attack can, in theory, be used to attempt to decrypt any encrypted data (except for data encrypted in an information-theoretically secure manner). It runs rather like you see in 'War Games' when the protagonist leaves his computer on all day, automatically trying a series of codes in order to get into a system. The difference being that nowadays you can try millions of code combinations in a short time! In a simple brute force attack a computer will methodically work through all possible passwords (beginning with ‘A’, then ‘AA’, ‘AB’ and so on …) trying each in turn until it stumbles upon an actual password. The more digits in the password the longer it takes to 'break' - but also the characters used matter. Let us look at the cracking of an 8-digit password: How long does it take to crack a password?Hackers can instantly uncover a password that only uses a single type of character by using some of the software widely available! It is more time-consuming for them if you add special characters, numbers and capitals letters.
The above data related to 2017. But with faster processors the time taken to brute force crack a code is diminishing. In 2020, Hive Systems shared a colourful table that showed the relative strength of a password against a brute force cracking attempt, based on the password's length and complexity. You will find it everywhere on the www. The data was based on how long it would take a consumer-budget hacker to crack a password hash using a desktop computer with a top-tier graphics card. Two years later – quite a long period of time in processing power improvement terms – they published an update. It is evident that to be safe, a password should be complex (upper and lower case letter, numbers and symbols) and as made up of as many characters as possible to be safe. Password 'guessing'The attacker submits many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Brute-force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password's length increases, the amount of time, on average, to find the correct password increases. Longer passwords, passphrases and keys having more possible values, make them exponentially more difficult (and take more time) to crack than shorter ones. This method is therefore very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Guessing 'the key'Alternatively, the attacker can attempt to guess 'the key' which is typically created from the password using a key derivation function to 'hash' the password This is known as an exhaustive key search. Reverse hacking of passwords and keysSometimes the hackser have the passwords or keys but do not know who they are associated with. The search to match them can also be done by Brute Force. Typical Brute Force Attack Methods
Tools used to make Brute Force AttacksThese are freely available on the internet. There are many out there - here is a few of the most popular (these even have people on You Tube telling you how to use them!):
Hardware required to carry out AttacksAny type of use of a software tool to carry out a brute force attack requires a computer system with a lot of memory and processing speed. Therefore powerful hardware is vital. A single central processing unit (CPU) isn't usually enough to quickly crack a password or even run these functions at all. Therefore those involved in cybercrime industry now employ graphics processing units (GPUs) so as to accelerate data processing tasks. Online and Offline Brute Force AttacksIn online brute force attacks, the hacker directly targets the network or application. However, these attacks are restricted by the system's countermeasures. For instance, most systems will lock a user out after a certain number of incorrect login attempts. To get around this potential roadblock, attackers can use offline brute force attacks. These attacks enable password key cracking attempts without logging into the user's server. Since password data uses hashes or encryption for security purposes, the hacker works backward during offline attacks by taking the known hashes and running a computer program to match them up with the known passwords until a correct combination has been found. Combatting Brute Force AttacksDictionary and brute force attacks can be foiled by having computer systems watch for unsuccessful attempts to log in to accounts. Almost all computer systems restrict the number of unsuccessful logins after which the account is locked and can only be accessed after the intervention of an administrator. Brute force attacks are rooted in credential compromise. So steps must be taken to prevent access via 'slip ups' by employees or users. Brute-force attacks can be made less effective by 'obfuscating' the data to be encoded, thus making it more difficult for an attacker to recognize when the code has been cracked. Or they can be discouraged by making the attacker do more work to test each guess. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it. Precautionary operational steps to take:
|
|