What is a brute-force attack?
Brute-force attacks are methods used by criminals to determine a password or PIN in order to break into a computer or network. Hackers may use automated programs to try every imaginable combination to guess the password or PIN.
This process may be exhaustive and time-consuming. Attackers must systematically go through every conceivable combination of letters, numbers, keys and symbols to garner the correct password. In some cases, it could literally take years for a thief to find the correct combination.
Why are brute-force attacks used?
When cyber thieves seem to be out of other options – for instance, they’re unable to hack into a computer network because they cannot find a hole in the security – they might rely on brute-force attacks.
For shorter, less-secure passwords, brute-force attacks could actually be the easiest available process to gain unauthorized access into a computer or network.
Attackers also turn to this form of theft because it can be hard to stop. Many of the tools used in brute-force attacks appear to be sent from different IP addresses; in other words, simply blocking a particular IP address won’t protect against an attack because the IP address will constantly change.
And even if an IP address can be successfully blocked, doing so could block access to legitimate users who are using the same IP address provided by an internet service provider or large corporation.
How to protect against brute-force attacks?
Many websites guard against attackers by limiting the number of times a user can try logging in. You may have seen this type of protection while trying to log into your email account, a bank account, or any other online site where you may have forgotten your password.
Some sites will allow you a set number of tries – many provide only three – before you are temporarily prohibited from trying more log-in attempts. In some cases, the account may be locked until you contact the administrator and prove you are the authorized user.
There is, however, a downside to locking accounts: an attacker targeting hundreds of accounts could keep hundreds of users from accessing their own accounts. Because of this problem, some websites choose not to adopt the practice of locking accounts after a set number of incorrect password attempts.
Some websites require users to create fairly complex passwords. You may be required to use more than a particular number of letters, and to introduce numbers or symbols into the mix. Security experts say these longer passwords make it more difficult for brute-force attacks to eventually steal your password information.
One tool used by many websites is ask for the answer to a “secret” question posed to the authorized account user. You may have seen these questions when signing up for an email or online banking account: “What is your mother’s maiden name?” or, “What is the name of your first elementary school?”
This method can disrupt automated brute-force attacks and also stops even the successful hacker who has figured out your username and password; when they are faced with a question they can’t answer, they are once again stopped in their tracks.
Another common tool used to prevent brute-force attacks is a CAPTCHA, which stands for “Completely Automated Public Turing Test To Tell Computers and Humans Apart.” These tools ask the user to complete a specific task to verify they are a human rather than a computer. Some sites combine CAPTCHA technology with passwords and usernames as an added level of security.