Brute Force Attack
A brute force attack is a hacking technique used to find out the User Credentials by trying out various possible credentials. It does not exploit any vulnerability in the application but tries to guess different permutations and combinations of user credentials to see if you can get any of them right.
It is a very basic trial and error method automated using a tool. It uses an array of usernames and passwords and then tries all possible combinations to find the correct credentials.
Requirements for a brute force attack
1. Password list
2. Brute force tool (like Metasploit, Aircrack-ng, Hydra, Medusa, etc.)
A username list may also be used, but the correct password can be found by entering a single username.
How does a brute force attack work?
Brute force tool à (Usernames & Passwords à Authentication à (Response) à Success/Failure
The brute force tool picks up each combination of username and password and tries it on the web application. If the combination succeeds in logging in, it is stored as a correct credential; otherwise, it is deleted. Then, the brute force tool moves to the following possible credential combinations and goes over the process for all such permutations and combinations. In the end, it returns all the correct credentials to the hacker, resulting in a successful login.
How to prevent brute force attacks?
• Increase password length—Hackers can generate a list of passwords using automated computing. However, if your password is very long, it will take the hacker days, even with the most powerful computers, to make a list that long. This delay in trying to figure out the password credentials via brute force discourages hackers. Secure your password in the middle of 300 billion.
• Increase password complexity – Adding letters, numbers, special characters, etc. increases password complexity, and the chances that hackers will reach your user credentials will be extended by weeks
• Limit login attempts – If the web application has a limit of 5-10 login attempts before it seizes the login attempts to that account, it completely rules out the possibility of hacking through brute force attack. Since Brute force works only when millions and millions of combinations are tried, limiting a few attempts wouldn’t let that work. Also, an alert is sent to the user, who can change the password instantly.
• Use OTPs – OTP and credential passwords are effective ways to prevent brute force attacks. It ensures that only a single attempt at the password has been made, and on top of that, a special code sent only to the user has to be used. The OTP is also limited to 3-5 attempts before the account is blocked. If 1-2 secret questions accompany the OTP, it is called 2-factor authentication (2FA)
• Use captcha—The use of captcha dismantles brute-force attacks, as brute-force tools are not designed to fill in the captcha at every attempt of username and password that they make.
Gartner and G2 recommends Appknox | See how Appknox can help you with a free Demo!
DISCOVER MORE
-
January 9, 2025
Reflections on 2024: Building what truly matters at Appknox
-
December 12, 2024
Top Mobile App Security Standards to Follow in 2025
-
December 2, 2024
Best Mobile App Security Testing Tools for Enterprises