Brute force attacks are not new or are they unique. In fact, hackers have been using these attacks for decades. While they’re not overly complicated, and there are ways to protect against them that our Miami cybersecurity company can help you with, the main issue is the rise in computing power.
Hackers can easily run through lists of hundreds of thousands of passwords to try and “guess” the one you’re using.
What is a Brute Force Attack?
You'll find multiple types of brute force attacks:
- Simple attacks
- Dictionary attacks
- Reverse brute force attacks
- Credential stuffing
A simple definition of a brute force attack is trying to use a combination of letters, numbers and special characters to guess a password. The most common password is “123456,” so, let’s assume that I have every email account in your organization.
I may decide to try “123456” on every email address to try and hack into them.
If you’re a company like Dunkin’, which was subject to a massive attack in 2015, a hacker may use a dictionary to run through all of the accounts that exist. Hackers may know your email address or login username, so they’ll use an entire dictionary of words and letter combinations to gain access to an account.
Since the hack doesn’t involve trying to find a weakness or anything of the sort, it’s much easier to put on autopilot.
Brute force attacks use software that detects when the credentials entered are correct and will log the username and password combination so that the hacker can use it to gain access to the account.
How Do You Protect Against Brute Force Attacks?
Our cybersecurity company in Miami has many recommendations for ways to enhance your password security and do so with relative ease:
- Force longer passwords of 8 – 16+ characters that are much harder to crack than shorter passwords.
- Require greater password complexity, which are not only longer, but forces users to use upper and lowercase letters, numbers and special characters.
- Limit login attempts for each user. For example, block login for a certain period of time if five failed login attempts occurred in the last 20 minutes.
- Two-factor authentication is another security option that, when required, works very well. If the user has to link a phone number to their account and verify the code, it increases the account’s security drastically.
- Restricting IP addresses is a more advanced tactic, but if you want to only allow certain IPs to access the login page, it will eliminate most attacks before they start.
Many corporations will force users to reset their passwords quarterly or every six months, and if you follow this path, it will reduce the risk of a hacker trying to attack accounts based on other data leaks that occurred on the same or other sites.
Since users often reuse passwords across sites, forcing password changes can help protect accounts against brute force attacks.
If you follow the tips to prevent brute force attacks above, you’ll secure your organization’s accounts and secure data.