On the subject of cybersecurity, one term that often comes up is brute force attack. A brute force attack is any attack that doesn’t rely on finesse, but instead uses raw computing power to crack security or even the underlying encryption.
In this article we go over what brute force attacks are, how they work, and how you can prevent it from happening.
What does brute force attack mean?
The real-world equivalent of a brute force attack is getting past a lock not with a lockpick, but rather with a crowbar. It’s noisy, messy, and not very elegant, but it gets the job done.
One good example of how this principle plays out digitally is what’s called a dictionary attack — used in the famous 2012 Dropbox security incident that saw 68 million users’ credentials breached. In this scenario, an attacker will try to guess a password for an online account by having a program try thousands, if not millions, of common words in the hope of getting lucky and finding one that works.
The guesses are based on known passwords and their derivatives, not just dictionary words, and each guess is usually done one by one. All it takes is a system powerful enough to run through the math, over and over again, until the program hits on the right combination of symbols that make up the password for that account.
It should be mentioned that using a digital crowbar in this way isn’t just resource intensive, but also takes up a lot of time. Though entering possible passwords can be done quickly, in just milliseconds, the sheer volume means those milliseconds add up. As a result, the owners of a site often can shut down an attack before it does any real damage — but not always.
Brute force attack examples
Dictionary attacks are just one type of brute force attack, just like crowbars are only one way to break open a lock. Below are some of the more common ones.
Credential stuffing
Credential stuffing attacks are another very basic type. Rather than guess victims’ login information, they instead take known credentials — usually made public in a breach — and then try them on different sites in massive numbers (stuffing them).
Since many people reuse their username and password — a result of password fatigue as much as anything — this makes credential stuffing a successful attack vector for any cybercriminal trying to make a quick buck.
Password spraying attacks
Password spraying attacks, also known as reverse brute force attacks, take a similar tack. In this case, attackers will have a list of usernames and they will then go down this list using simple passwords, hoping to get lucky.
This type is especially effective against organizations with sloppy security. Most companies have a set way to generate usernames (combining first and surnames, for example), and admins don’t always make users change the default password (which is often something like password123). If even one user didn’t change their password, the attackers get easy access.
Brute force attack prevention
If you have a sharp eye, you noticed that all the above types of brute force attacks have one thing in common: They all target easily guessed passwords. Therefore if you secure your password, you’re mostly safe from these kinds of brute force tactics.
For example, dictionary attacks can be defended against by using long, random passwords. These will stymie any password generation program since they can’t predict what the next symbol will be. The longer you make them, the longer they’ll take to crack, adding up to billions of years with a 16-character password.
Credential stuffing attacks can be prevented by always using random passwords and never using the same password twice. Even if a breach exposes one of your passwords, you’ll know all your other accounts are safe.
Using these two tactics will also prevent password spraying attacks since these rely on organizations reusing weak passwords. By always using strong passwords in combination with two-factor authentication (2FA), which makes you use a second device to prove your identity, you’ve rendered any password-spraying attempt useless.
How to prevent brute force attacks with Proton
All the above tips are part of a decent password policy, whether you’re a business or an individual. However, to implement them, you’re going to need a password manager, a program that can generate and store passwords for you, and even autofill them as you browse. They are a way not just to improve your online security, but also your quality of life.
A password manager can be so much more, too, which is why we developed Proton Pass. Our password manager has all the basic functionality you need to protect yourself from brute force attacks — including built-in 2FA support that makes this vital feature a lot less hassle — but also offers some unique extras that will help you build a digital identity that will keep you secure from attacks.
For example, when creating accounts you can use hide-my-email aliases, which point to your real email address without revealing it. These make it very hard for most brute force attacks to target you as they won’t have a username that has been used on other accounts. You can also opt to use passkeys on sites that support this state-of-the-art authentication method. Using these, there’s no password to guess, making brute force attacks pointless.
Besides these, we also have a few features that improve your security in more general ways. The best example is end-to-end encryption, which ensures that your passwords are known only to you. Nobody, not even we, know what you’re storing with us. This is great for security, but also promotes greater privacy.
This combination of security and privacy is what makes Proton the leader in this field. As we are entirely funded by subscriptions — no venture capital, no advertisers — we rely on you to keep us in business. As a result, we’ll always put you, our community, first. If that sounds like something you’d like to be a part of, join Proton Pass today.