Have you ever forgotten your password and tried every combination you could remember? Maybe you gained access to your account right away, and maybe it took a little while before you could get in again. Hackers use a very similar technique to obtain unauthorized access to information. This method is known as a brute force attack. These attacks are unsophisticated, easy to detect, and notoriously difficult to prevent.
How a Brute Force Attack Works
Using automated software, a hacker tries every possible combination of letters, numbers, and symbols to guess the password for an account. To be successful, the hacker must know the login or at least the format for the login and have enough time to try as many attempts as it takes.
Systematically guessing every possible password is time-consuming. That’s why most hackers use programs that cycle through dictionaries of real words and variations of those words. This is known as a hybrid or dictionary attack. These types of attacks are much faster but do not account for every possible combination. Other types of attacks consist of trying a single password for multiple accounts. With this method, the hacker gains entry to any account that fits the password.
Brute force attacks are the most common because they work. Fortunately, there are strategies for discouraging them. However, not all countermeasures are perfect.
Locking an account after a specified number of failed attempts can hinder a brute force attack, but this method has limitations. Hackers may deliberately flood a system with failed login attempts just to tie up the resources of the helpdesk. With numerous customers locked out of their accounts, administrators can become overwhelmed with complaints.
Hackers can also test failed attempts to build a list of legitimate account names. When the names of the accounts on file are known, it makes it easier to eventually find the password to one or more accounts. Lockouts do not protect against attacks that target all accounts with a single password. A hacker can still gain access without triggering this safeguard.
To improve security, a second screen that prompts users to enter a second password or answer a security question helps to slow down hackers. More sophisticated systems will also use independent verification. An email or text is sent to the user to ensure that the right person is accessing the account.
Fighting Against Bots
Hackers use automated programs to speed up their efforts. These programs are known as bots and are hard to stop. Not all bots are bad for a web application, and it is difficult to distinguish between bots that have a right to be on a website and those that do not.
CAPTCHA screens help to distinguish between a human user and an automated system. The screen displays an image that only a human should be able to interpret. The user must respond by answering a question successfully. While this method slows down hackers, it is not perfect. Image recognition software allows bots to mimic the responses human users might provide.
Systems administrators can also set up their systems to detect the activity of bots engaged in a brute force attack. Too many failed attempts on a single account or an IP address with multiple attempts on different accounts are both clear indication that the system is under attack.
Designing a Better System
The best defense against brute force attacks begins with a right design for your web application security. Experienced web security firms can perform an analysis to determine a structure that protects your customer’s accounts from hackers.