Best practices to prevent attackers who steal credentials via brute-force and dictionary attacks.
2023 Mid-Year Threat Report“An attack in which cybercriminals utilize trial-and-error tactics to decode passwords, personal identification numbers (PINs), and other forms of login data by leveraging automated software to test large quantities of possible combinations.”
“A type of brute force attack where an intruder attempts to crack a password-protected security system with a “dictionary list” of common words and phrases used by businesses and individuals.”
Both are common types of cybersecurity attacks in which an attacker tries to log in to a user’s account by systematically checking and attempting all possible passwords and passphrases until the correct one is found. These brute-force and dictionary attacks are common, due to large quantities of individuals reusing common password variations.
After all, the easiest way to attack a system is through the front door, and there must be some way to log in. If you have credentials, you can log in as a normal user would, likely without generating suspicious log entries, tripping IDS signatures, or needing an unpatched vulnerability. If you have the credentials for the system administrator, life is even easier. Attackers have neither of these luxuries; here’s an overview of how they utilize brute-force and dictionary attacks to gain access.
Attackers lack the necessary credentials to log in normally, so they’ll frequently start their attack by looking for a target's email address or domain in password dumps from a compromised website. If the target reused their password on a website that was later compromised, that password may still be valid. But savvy users (and hopefully sysadmins) will use unique passwords everywhere. So the attacker must now turn to one of two more direct attacks: dictionary attacks and brute-force attacks.
In a dictionary attack, the attacker utilizes a wordlist in the hopes that the user’s password is a commonly used word (or a password seen in previous sites). Dictionary attacks are optimal for passwords that are based on a simple word (e.g. 'cowboys' or 'longhorns'). Wordlists aren’t restricted to English words; they often also include common passwords (e.g. 'password,' 'letmein,' or 'iloveyou,' or '123456').But modern systems restrict their users from such simple passwords, requiring users to come up with strong passwords that would hopefully not be found in a wordlist.
To conduct a brute-force attack, an attacker may use a tool to attempt every combination of letters and numbers, expecting to eventually guess the password. If the attacker knows that an organization requires special characters in their password, the tool could be instructed to include letters, numbers, and symbols. Every password, no matter how strong, is vulnerable to this attack. However, this method is going to take a while (years, if the password is long enough).
The length of time required to crack a short password (such as a four-digit PIN) might be under a minute. Extending that to six characters could take an hour. Extending that to eight characters, with both letters and symbols, might take days. Note that each new character exponentially increases the amount of time necessary for a brute-force attack to discover the password. So a strong, lengthy password, could take weeks or months. But, with enough computing power and a particularly dedicated attacker, the password would eventually be discovered.
Using a strong, uncommon password will make an attacker's job more difficult, but not impossible. Luckily there are more preventative measures that end users and system admin can take to prevent (or detect) these attack attempts:
Slow down repeated logins: This is the simplest countermeasure available. An end user is unlikely to notice a 0.1 second delay while logging in, but that delay would accumulate quickly for an attacker, especially if they cannot parallelize their attempts.
Force captchas after multiple failed logins: While a user could have simply forgotten which password they used for the account, this will help slow down an attacker significantly. This is a great deterrent method as for modern captchas are difficult to defeat with computers. Many captchas need manual inputs in order to be solved.
Lock accounts: Even better, a system can be configured to lock an account after a specified number of attempted logins. Many websites will trigger additional protections for accounts with repeated bad password attempts. In the extreme case, for example, an iPhone will self-destruct (wipe all data) after 10 tries.
Refresh passwords: Modern systems typically require users to cycle passwords regularly. Some corporate environments require users to change passwords every 90 days, or maybe even every 30 days. The rationale behind this is that an attacker who is attempting a brute-force attack against a complex password would need weeks to succeed.
If the password changes during that time frame, the attacker will need to start over. However, as many users would confess, these strict password requirements can backfire, with users choosing weaker, sequential passwords ('longhorns2018,’ 'longhorns2019,’ and so on). An attacker would quickly try incrementing the password.
Monitor for anomalies: Finally, a security-conscious organization should be monitoring user accounts for anomalies, such as logins from unrecognized locations or devices, or repeated login failures. A staffed Security Operations Center (SOC) can detect these events in real time and quickly respond by locking down an account, blocking an IP address, contacting a user, and looking for further activity from this particular attacker.
Against simple systems, dictionary attacks and brute-force attacks are easy, guaranteed ways in the front door. In more sophisticated environments, these attacks are only useful when attempts can blend into normal activity or target an offline password database to crack password hashes. Still, these techniques are excellent additions to any security professional's tool belt, and they emphasize the importance of regularly updating strong passwords for end users.