Bruteforce

You may have noticed that most services that require an account have begun to require more complex passwords or multi-factor authentication to gain access. This requirement stems from the need for service providers to minimize the possibility that a brute force attack on user passwords will be successful. What these kinds of attacks consist of, and how they can be mitigated, will be the topic of this article.

What is a bruteforce attack?

If you have ever forgotten the combination to your travel trolley, you may have realized that, at the expense of a few tens of minutes, you need only try all the number combinations on the three gears to find the right combination and not lose the contents of your precious suitcase. This is a rudimentary but no less effective bruteforce attack.

There is no unambiguous and specific definition, as brute-force is a term that has no basis in computer science, but rather in mathematics, thus more rooted in logic and common language. When we refer to a “brute-force” method in mathematics, logic or computer science, we are describing a method of trying to apply all possible solutions to a problem until it turns out which one is correct. In the field of cyber security, “brute-force” therefore consists of attempting to penetrate a system by trying, systematically, all possible access strategies until the solution is arrived at. To give a more practical example, which is also the case most often referred to when talking about brute force, a hacker intent on decrypting data or accessing a password-protected profile performs a brute force attack by trying to decrypt the data, or access the profile, using all possible combinations of letters, numbers and other characters.

From a mathematical point of view, the success of this attack is certain, but from a practical point of view, who could possibly experience all these combinations in series in a realistic window of time?

For this reason, those who use brute force as a strategy often rely on two factorim

Specific software and powerful calculators to attempt dozens (if not hundreds) of different keys per second to reduce the time spent per attempt

Collect information about the key you are trying to find to reduce the number of combinations attempted

These seem like two trivial items, but, returning to the suitcase example, imagine that if you were certain that your trolley combination did not contain a 9, it would take you at least one-fifth less time to find the right combination, since more than 200 combinations of the 1,000 possible include 9s. Similarly, an individual intent on deriving a password, if he or she were certain that it included (or excluded) specific characters, or words, would take considerably less time and resources to succeed in the task. In the next section we look in a little more detail at how brute force is applied and how to defend against it.

An average hacker can employ software such as Ripper or Hashcat, which make it easy to initiate a brute force operation, coupled with a computer that has sufficiently high-performance calculators. Because of their computing power (net of cost), GPUs, for example, are excellent processors, for this type of operation, easily purchased without major investment (not to mention the fact that they can be easily resold). This premise shows how, theoretically, this type of attack is affordable. But how much time does brute force actually cost?

Continuous estimates are made on the subject, as the perennial improvement of processors increases the efficiency of this technique. Nowadays (2022) it is estimated that an ordinary attacker can derive an 8-character password, containing only upper and lower case letters, in only 2 minutes. If the same password contained numbers, symbols and letters, it would take about 40 minutes. In contrast, a password containing only upper and lower case letters but 12 characters would take 2 days. If it also contained numbers and special characters? About 3,000 years.

How to protect against brute-force attacks

It is therefore clear that the complexity and width of keys have a significant impact on the likelihood that someone will be able to gain access to a system. It is certainly no coincidence that encryption standards, such as AES, employ increasingly long and complex keys to decrypt. At the same time, however, a human being’s ability to invent and remember complex passwords has not improved, right? Not exactly, thanks to password managers and the automation of certain controls (e.g., the requirement to update the password after a certain period of time), it is now easy to maintain the habit of creating passwords that adhere to two simple principles, namely:

Password rotation and nonidentity: the passwords you have are different for each platform (or at least the most important ones) and are periodically updated. Many services and systems also allow you to set up periodic notifications that remind you when a password “expires” (without taking drastic actions such as locking the account)

Complexity: the passwords you use must include lower case and special characters; there is software that generates passwords (not necessarily password managers) that are as long and complex as they are easy to remember;

Ease of retrieval and multi-factor: multi-factor authentication, notifications of new logins, and credential retrieval tools ensure that if you don’t remember a complex password or if by chance your credentials end up in someone’s hands, you remain in control of your logins.

Conclusion

Since bruteforce has been a practice used since the dawn of cybercrime, and since it does not require any kind of specific expertise to be used, several methodologies have been used and are constantly being updated that are very effective deterrents against this type of attack. The simplicity of applying these methodologies means that this technique, however seemingly effective, is easily defeated by users with good computer habits.