Incident Response Services
Penetration Testing Services
IoT Security Services
Training & Certification
Managed Vulnerability Management
Managed Application Security
Managed Detection & Response
Find a Partner
Rapid7 Insight is your home for SecOps, equipping you with the visibility, analytics, and automation you need to unite your teams and amplify efficiency.
Insight Platform Overview Try Now
User Behavior Analytics & SIEM
Orchestration & Automation
Application Security On-Premise
Need a hand with your security program? From planning and strategy to full service support, our experts have you covered.
Need immediate help with a breach?
Brute-force and dictionary attacks are types of cybersecurity attacks in which an attacker tries to log in to a user’s account by systematically checking and attempting all possible passwords and passphrases until the correct one is found.
After all, the easiest way to attack a system is through the front door, and there must be some way to log in. If you have credentials, you can log in as a normal user would, likely without generating suspicious log entries, tripping IDS signatures, or needing an unpatched vulnerability. If you have the credentials for the system administrator, life is even easier. Attackers have neither of these luxuries; here’s an overview of how they utilize brute-force and dictionary attacks to gain access.
Attackers lack the necessary credentials to log in normally, so they’ll frequently start their attack by looking for a target's email address or domain in password dumps from a compromised website. If the target reused their password on a website that was later compromised, that password may still be valid. But savvy users (and hopefully sysadmins) will use unique passwords everywhere. So the attacker must now turn to one of two more direct attacks: dictionary attacks and brute-force attacks.
In a dictionary attack, the attacker utilizes a wordlist in the hopes that the user’s password is a commonly used word (or a password seen in previous sites). Dictionary attacks are optimal for passwords that are based on a simple word (e.g. 'cowboys' or 'longhorns'). Wordlists aren’t restricted to English words; they often also include common passwords (e.g. 'password,' 'letmein,' or 'iloveyou,' or '123456').But modern systems restrict their users from such simple passwords, requiring users to come up with strong passwords that would hopefully not be found in a wordlist.
To conduct a brute-force attack, an attacker may use a tool to attempt every combination of letters and numbers, expecting to eventually guess the password. If the attacker knows that an organization requires special characters in their password, the tool could be instructed to include letters, numbers, and symbols. Every password, no matter how strong, is vulnerable to this attack. However, this method is going to take a while.
The length of time required to crack a short password (such as a four-digit PIN) might be under a minute. Extending that to six characters could take an hour. Extending that to eight characters, with both letters and symbols, might take days. Note that each new character exponentially increases the amount of time necessary for a brute-force attack to discover the password. So a strong, lengthy password, could take weeks or months. But, with enough computing power and a particularly dedicated attacker, the password would eventually be discovered.
Using a strong, uncommon password will make an attacker's job more difficult, but not impossible. Luckily there are more preventative measures that end users can take to prevent (or detect) these attack attempts:
Slow down repeated logins: This is the simplest countermeasure available. An end user is unlikely to notice a 0.1 second delay while logging in, but that delay would accumulate quickly for an attacker, especially if they cannot parallelize their attempts.
Lock accounts: Even better, a system can be configured to lock an account after a specified number of attempted logins. Many websites will trigger additional protections for accounts with repeated bad password attempts. In the extreme case, for example, an iPhone will self-destruct after 10 tries.
Refresh passwords: Modern systems typically require users to cycle passwords regularly. Some corporate environments require users to change passwords every 90 days, or maybe even every 30 days. The rationale behind this is that an attacker who is attempting a brute-force attack against a complex password would need weeks to succeed. If the password changes during that time frame, the attacker will need to start over. However, as many users would confess, these strict password requirements can backfire, with users choosing weaker, sequential passwords ('longhorns2018,’ 'longhorns2019,’ and so on). An attacker would quickly try incrementing the password.
Monitor for anomalies: Finally, a security-conscious organization should be monitoring user accounts for anomalies, such as logins from unrecognized locations or devices, or repeated login failures. A staffed Security Operations Center (SOC)can detect these events in real time and quickly respond by locking down an account, blocking an IP address, contacting a user, and looking for further activity from this particular attacker.
Against simple systems, dictionary attacks and brute-force attacks are easy, guaranteed ways in the front door. In more sophisticated environments, these attacks are only useful when attempts can blend into normal activity or target an offline password database to crack password hashes. Still, these techniques are excellent additions to any security professional's tool belt, and they emphasize the importance of regularly updating strong passwords for end users.