How to Prevent Brute Force Attacks in 8 Easy Steps [Updated]
Brute force attacks are increasingly accounting for the majority of cyberattacks across the world as remote work becomes more prevalent. Read this article to learn more about how to prevent brute force attacks from taking over your company and personal accounts.
Editor's note: This post was originally published on October 1, 2020, and has been revised for clarity and comprehensiveness.
Compared to other techniques used by threat actors, brute force attacks don’t need vulnerabilities on a website to work. Instead, these attacks depend on users having weak credentials to succeed. The ease and simplicity of the tactic are why it’s pretty popular among enterprising cybercriminals.
According to recent data, 5% of confirmed security breaches in 2017 resulted from brute force attacks. Another recent study from Kaspersky shows that brute force attacks continue to surge during the pandemic. Compared to 2020, brute force attacks have grown from 13% to 31.6% because of the rise in remote work.
Before the pandemic, employees worked in offices with network infrastructures that were protected all the time from cyber attacks. As more and more employees use their own devices to connect to their corporate network and access company resources, cybercriminals are focusing on the remote desktop protocol (RDP) as an attack vector. RDP ports can be brute-forced as well, and it’s popular because it’s akin to a front door to your computer. The RDP is also an efficient path to spread ransomware.
At Intelligent Technical Solutions, we help businesses avoid brute force attacks by ensuring that their technologies are compliant. As a managed service provider (MSP), we perform routine network assessments to determine whether our clients have security gaps in their environment that need to be bridged.
This article will discuss some of the critical things that we advise businesses on preventing brute force attacks. But first, let’s take a closer look at what brute force attacks are precisely and the several types of brute force attacks that threat actors are carrying out.
What Is a Brute Force Attack?
A brute force attack is a type of cyber attack that uses a trial-and-error method to guess all possible combinations of a password, encryption key, or any login information. It is called “brute force” because the malicious actor will use repetitive, forceful attempts to gain unauthorized access to an account. Though surprisingly simple, brute force attacks have a high success rate.
And what do hackers stand to gain from brute force attacks? Attacker motivation for brute force attacks includes information theft, malware distribution, and service disruptions. In other cases, attackers may profit from ads or collecting sensitive data or by ruining a website’s reputation.
Cybercriminals may use applications and programs as tools to carry out brute force attacks. These tools can automate password combinations to bypass authentication systems. Other methods involve guessing the correct session IDs to gain access to web applications.
Bots, however, are most commonly used to perform brute force attacks. Hackers usually have a list of stolen credentials that have been obtained through recent security breaches or those sold over the dark web. The bots will then do all the work and systematically attack websites using the stolen credentials.
Identifying brute force attacks is easy; by just looking into your Apache access log or Linux log files, you can spot a brute force attempt. The log file will reflect unsuccessful login attempts. Below is an example entry:
Jan 1 20:10:10 host proftpd[25197]: yourserver (usersip[usersip]) - USER theusername (Login failed): Incorrect password.
Passwords are not the only target of brute force attacks. Links, directories, usernames, and emails are among the other resources that can be brute-forced.
Brute Force Attacks Examples
Below are the five common types of brute force attacks:
Simple Brute Force Attack
A simple brute force attack is where hackers attempt to decode your password without the assistance of scripts or automation. With this attack, weak passwords and PINs are cracked in seconds.
Dictionary Attack
This type of brute force attack happens when a hacker chooses a target and attempts to crack the latter’s password by trying all possible combinations against their username. Random words from the dictionary, augmented with special characters and numerals, may also be used for this attack.
Hybrid Attack
Often, people use a combination of numbers of significance to them - such as a birthday or anniversary date - and words for their passwords. A hybrid attack combines a simple brute force attack and a dictionary attack to guess the aforementioned mixed login combination. Essentially, a hybrid attack starts from external logic to find out which password combination may be correct and goes on to try as many other possible variations.
Credential Stuffing
Stolen credentials are sold and exchanged between cybercriminals on the dark web. Credential stuffing exploits the fact that users use the same username and passwords across various systems. Threat actors then use these previously-known username-password combinations to log in to user accounts across many websites until they find one that works.
Reverse Brute Force Attack
A reverse brute force attack starts from a publicly known or leaked password; then, the hacker will use automation to search for a matching username, account number, or key.
Rainbow Table Attack
A rainbow table attack is one wherein an attacker uses a rainbow hash table to crack the passwords stored in a database. A rainbow table is a precomputed lookup table used to reverse cryptographic hash functions. The table can be used to recover a function up to a certain length comprising a limited set of characters.
Password Spraying
Traditional brute force attacks attempt to guess passwords for single accounts only. On the other hand, password spraying takes the opposite approach and tries to apply a single password combination to several accounts. This prevents account lockout policies from detecting the activity.
Password spraying targets victims using single sign-on (SSO) and cloud-based applications that rely on federated logins. SSO enables a single authentication credential to access various systems within a single organization. At the same time, federated logins allow users to use a single authentication token to gain access to multiple systems across different enterprises.
How to Prevent Brute Force Attacks
Below are some proven ways for brute force attack prevention:1. Use Strong Passwords.
Having a strong password policy is the simplest and most effective way of thwarting a brute-force attack. You would want to create a complex password for your web application or a public server that is impossible to guess but is relatively easy to remember. Follow these guidelines when creating a password:
- Don’t use your personal information for your passwords. Avoid using your birthday, name, or email address for your passwords.
- Never recycle passwords for your accounts. Use unique password combinations for each of your online accounts.
- 30% of recycled or modified passwords can be cracked in 10 guesses. Use long passphrases that contain spaces and unique characters. Include numbers, symbols, and uppercase and lowercase characters in your passwords.
- Create a password that’s longer than six characters. Ideally, passwords should be at least 15 characters long.
- Don’t use dictionary words from any language. It’s best to use random character strings rather than words.
2. Limit Login Attempts.
By default, most websites, especially if they run on WordPress, allow unlimited login attempts. If you are a website administrator, you can use a plugin to limit the login attempts possible on your site to block brute force attacks. Such plugins allow you to enter the number of logins you want your visitors to have. Once they exceed the number of attempts, their IP addresses will be banned from your site for a considerable length of time.
3. Monitor IP addresses.
In relation to the second tactic, you should limit login attempts to users coming from a specified IP address or range. This is especially important if you have a hybrid work environment or most of your employees work remotely. Set up alerts whenever you encounter login attempts from anomalous IP addresses and make sure to block them.
4. Use Two-Factor Authentication (2FA).
Two-factor or multi-factor authentication adds an extra layer of security to your accounts. 2FA requires a user to validate their identity when logging into an account before being granted access. For example, you would be asked to confirm that it was indeed you who’s trying to log into your email when you have 2FA enabled. Before gaining access to your account, you would have to key in a unique code sent to your mobile number as a way of verifying your identity.
5. Use CAPTCHAs.
CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” Essentially, CAPTCHAs are challenges that are difficult for automated computer programs to perform but are easy for humans, such as spotting patterns or clicking in a specific area on a webpage. Websites use them to restrict usage by bots and spam.
6. Use Unique Login URLs
Creating unique login URLs for various user groups would be another challenging and time-consuming step for an attacker. It may not necessarily stop a brute force attack; however, it could deter attackers who can’t be bothered.
7. Disable Root SSH Logins
Brute force attempts made on the Secure Shell (SSH) protocol are made possible via the root user. Edit the sshd_config file and set it to “DenyUsers root” and “PermitRootLogin no” options to ensure that the root user cannot be accessed via SSH.
8. Use Web Application Firewalls (WAFs)
A web application firewall (WAF) offers adequate protection against brute force attacks that attempt unauthorized access to your system. It usually enforces a maximum number of requests to a URL space from a source during a specific time interval. Apart from brute force attacks that aim to gain access to steal session tokens, WAFs can prevent denial-of-service (DOS) attacks that drain server resources and block vulnerability scanning tools that probe your computer network for weaknesses.
Stop Brute Force Attacks Today
Brute force attacks are entirely preventable. You can keep brute force attacks at bay and drastically improve your data security by having a strong password policy, limiting login attempts, enabling two-factor authentication, using CAPTCHAs, and blocking malicious IP addresses.
However, you can further enhance your network security by working with experts. Receiving ongoing IT support from an MSP means that you have people who can help you integrate safe practices, such as using 2FA, and monitor changes in the environment, so you’re ready if anything new comes around the corner. Enlisting the help of a managed service provider can take the guesswork out of staying secure in the evolving cyber threat landscape.
If you need help keeping your IT environment secure, ITS can help you in this department. As a managed service provider, we’ve helped bring businesses up to standards so they can maintain the integrity of their networks and infrastructure. Contact us today for a free technology assessment to find out how to get started in strengthening your security posture.