Brute Force Attack | De­f­i­n­i­tion and pro­tec­tive measures

Even though Apple has never of­fi­cial­ly confirmed it, it can be assumed that a simple security gap in its online storage service iCloud was the cause of all the commotion for the gigantic cor­po­ra­tion back in 2014. The as­sump­tion continues that there was a lack of brute force pro­tec­tion, which led to the theft of various celebri­ties’ private photos. Pro­tec­tion measures were quickly im­ple­ment­ed after the attack. The pro­tec­tion mechanism now in place means that users have a maximum of ten attempts to enter their password before the log-in is disabled and the account owner is notified. Before the hacker scandal there was no limit regarding how many times a password could be entered - so it was just a matter of time before a well-planned brute force attack took place.

Brute force refers to a method of problem solving in the areas of computer science, cryp­tol­ogy, and game theory. The brute force method owes its name to the fact that it is based on trying out as many solutions as possible, which is why the search is ex­haus­tive. It is used when no better al­go­rithms are available. Hackers that use these tech­niques are es­pe­cial­ly keen to crack passwords and gain access to personal data. For this purpose, they use software with a simple algorithm that tries out lots of different pos­si­bil­i­ties in quick suc­ces­sion, com­pris­ing of char­ac­ters, spaces, and letters up to a maximum defined length.

The shorter the password, the quicker it will be cracked by brute force methods. This is why longer passwords com­pris­ing of different char­ac­ters are generally rec­om­mend­ed and it’s also advisable to use en­cryp­tion systems. As the amount of computing power required to perform such brute force attacks becomes more and more readily available, this means more checks can be performed in a shorter period of time, making com­pre­hen­sive pro­tec­tion against brute force attacks of the utmost im­por­tance.

Con­sid­er­ing the prim­i­tive­ness of the method, it seems obvious that ap­pro­pri­ate pro­tec­tive measures need to be taken, but this isn’t nec­es­sar­i­ly the case. Every computer that is connected to the internet is po­ten­tial­ly at risk. Once a hacker has worked their way into the system (which happens quicker than you’d expect), your passwords aren’t far out of reach. Most operating systems run files or databases in which user IDs and passwords are stored. For Windows systems, the user passwords are, for example, in the .sam files, and for unixoid systems, they can be found in the .passwd file or .shadow file.

Passwords in these files aren’t stored in plain text, they are encrypted using cryp­to­graph­ic al­go­rithms. Even so, an attacker can still gain access to files if they aren’t suf­fi­cient­ly protected against unau­tho­rized access. The hacker can create a copy of the file and then perform extensive brute force attacks on it without having to maintain a system con­nec­tion. In principle, there are now only three variables which determine how long it will take until the attack is suc­cess­ful:

• The duration of a single ver­i­fi­ca­tion step
• The length of a password
• The com­plex­i­ty of a password

The duration of a single ver­i­fi­ca­tion step, i.e. trying out a possible password, depends on the pro­cess­ing power that is available to the attacker. The more power that’s available, the faster an attempt can be made, and then the next one started. The length and com­plex­i­ty logically increase the number of possible com­bi­na­tions that can be used to create a password and therefore the number of pos­si­bil­i­ties that must be tested during the brute force attack. This is how the length and com­plex­i­ty effects how quickly they are cracked:

The table shows that it only takes a modern PC 35 minutes to test all possible character com­bi­na­tions with a simple password, which only has a character set of 26 char­ac­ters. If you expand the com­bi­na­tion to 72 char­ac­ters, the brute force check would need around 83 days with the same computing power. This is not a cause for com­pla­cen­cy, however: by trying out lists of character com­bi­na­tions (dic­tio­nary attack) or using rainbow tables (list of con­tigu­ous password com­bi­na­tions), attackers can shorten the time it take to make a brute force attack.

It doesn’t matter whether a brute force attack targets the central password file in the system, or, in the case of iCloud, the attacker obtained the Apple IDs of many users, these events prove how important it is to protect yourself against this obtrusive de­cryp­tion method. When it comes to private system passwords, you can take matters into your own hands. Use com­bi­na­tions that consist of many different character types. In the best case, use both lower case and upper case letters, special char­ac­ters, and numbers in your passwords. The more char­ac­ters the password contains, the harder it is to crack.

The situation gets a little bit trickier when creating passwords for online services and the like. Here you are bound to the re­spec­tive provider’s spec­i­fi­ca­tions. Typically, passwords have a maximum length of only eight char­ac­ters and are often limited to letters and numbers – which doesn’t exactly fill you with con­fi­dence. If this is the case, you should def­i­nite­ly find out which pre­cau­tions the website operators take in order to protect them­selves against brute force attacks. If you are the operator of a web service with a log-in mechanism, this is your re­spon­si­bil­i­ty. There are two possible ap­proach­es:

• Secure the password mechanism
• Establish multi-factor au­then­ti­ca­tion

Securing the password mechanism should actually be standard for any log-in, but as the iCloud scandal shows, this is not always the case. The point of the pro­tec­tion mechanism is to make the work of brute force software more difficult. This means that after a password has been entered in­cor­rect­ly a certain number of times, no more attempts can be made and the entry feature is disabled. Fur­ther­more, it is possible to increase the amount of time after every further attempt  made to enter the password. You can also go a step further – like Apple finally did – and block the entire user account after a certain number of log-in attempts.

Many providers offer multi-factor au­then­ti­ca­tion as an option. It makes the log-in process somewhat more com­pli­cat­ed since a further component is needed in addition to the password. This could be answering a secret question, entering a PIN, or answering a captcha. The latter are small tests to determine whether the log-in process is being carried out by an actual person or – such is the case with brute force software – a robot.

In addition to the measures presented, there are a few tricks for pre­vent­ing brute force attacks. Hacker software usually works with different recog­ni­tion patterns so it becomes more com­pli­cat­ed if the standard error messages are not sent back to the browser directly, but instead are sent to an external system, such as a different website. Using al­ter­na­tive names for entry fields or the text, which are then restored after a log-in attempt, can also cause problems for some hacker tools. In any case, you will increase the security of your web project or passwords if you use one or more of the mentioned brute force pro­tec­tion measures. For some platforms or ap­pli­ca­tions, there are also specific ex­ten­sions or tools against brute force attacks. The add-on Jetpack, which is designed to make it easier to manage WordPress sites, has a in-built module to prevent dangerous attacks based on an IP blacklist. The IP addresses collected in this list are those that have been linked to all known brute force attacks on WordPress pages up to that date.