What are Brute Force attacks to find passwords and keys

Brute Force
Brute-force attacks are simple enough to understand but difficult to counter. Even a complex cryptographic system can now be cracked by a brute-force (or brute-force) attack carried out by a series of fast computers. These attacks can be launched against any type of encryption or security system with access credentials (from a simple password for logging into a site or service to the encrypted compressed file), and become faster and more effective every time. as more and more powerful computers are produced.Let’s see together, with simple and easy-to-understand words, what the Brute Force attacks, what tools are used, and what we risk if we don’t choose the security password well and/or rely on old and outdated (easier to break) security protocols.

READ ALSO: Most used techniques for stealing passwords on the internet

How Brute Force attacks work

Brute-force attacks or “Brute-force” in the computer field are quite simple to understand. Having a password-protected program, a hacker who wants to crack it begins to try each combination of characters, symbols, letters, or numbers in series until the right key is found.
Obviously, these attempts are not done by hand, but automatically with a computer program which is faster the more powerful, the computer used.

Dictionary attack

The simplest brute-force attack that can be carried out is the attack on dictionary (dictionary attack): The nature of this attack is based on a dictionary of written words, often based on a list of common passwords or on a series of targeted words (i.e. tailored to the person or service to be targeted).

In practice, instead of trying all the possible combinations of passwords, try those words most used by people such as, for example, proper names, city names, names of players, years and dates, and so on. Keep in mind that passwords and encryption keys are different things: the key is generated in a totally random way while a password must be remembered and entered manually so it is a simpler word. Finding the encryption key is difficult and requires a Brute Force attack while passwords are found with simple dictionary attacks.

The crack of the encryption protocol

The most effective but also the most difficult brute force attack to carry out is the crack of the encryption protocol. The cracker (i.e. the hacker who tries to make this type of attack) does not try to guess the password from a dictionary but tries to violate the protocol that protects the communication, the encrypted file, or the login page: once found the weak point uses it to bypass the password and immediately access all data.

As mentioned, carrying out this type of attack is not at all easy and requires a great deal of experience in cracking, as well as great resources from an economic and IT point of view: with the updating of security protocols this type of attack has become very rare and accomplished only with the use of a large number of crackers, all of which focus on a single protocol to break.
We can rest assured: this type of attack is not easy to carry out and the necessary resources are certainly not used for a home Wi-Fi network unless we use already violated protocols such as WEP and WPA, as seen in our guide How to crack WiFi WPA / WPA2 network password.

Brute-force attacks on websites

There is a distinct difference between an online and an offline brute-force attack. For example, if an attacker wanted to steal my Gmail password, they couldn’t find my password by trying the various combinations on the Gmail site because Google prevents it. After several attempts, it blocks access by asking you to enter a Captcha code to prevent some automatic program from attempting access. Services that provide access to online accounts as well as Facebook stop login attempts and those who try to log in too many times with wrong passwords.

On the other hand, if the hacker has access to a computer that has a password manager with an encrypted key, he can have plenty of time to launch a brute force or dictionary attack by keeping it active until the password is found. . There is then no way to prevent a large number of passwords from being tried in a short period of time. Theoretically, no cryptography is invincible although it can take over a month to break through the toughest resistances.

Speed ​​of a Brute-Force attack

As for how quickly a brute force attack can be conducted, it all depends on the hardware used. Intelligence agencies (but also hackers on paper) can build huge servers specializing in shared computing, weighed only to find encryption keys or to break them. The method often exploits the potential of modern GPUs, the same used for games and cryptocurrencies, able to work at absurd speeds on billions of data in a second and crack any simple password or standard protocol (at the cost of electricity and very high management costs).

Nobody will use these resources for our dear home PC unless we hide some secrets from the NSA or the CIA! In this case, it is better to read the following chapters immediately.

How to slow down brute force attacks

One of the most used methods to make life difficult for hackers is Hashing: Using strong hashing algorithms can slow down brute force attacks. These hash algorithms like SHA1 and MD5 do extra mathematical work on a password before storing it.

Obviously, a good way to slow down brute force attacks requires using the latest and up-to-date security protocols. For example for Wi-Fi we have to refer to WPA3 (still not very common), while for the other types of encryption the AES-256 protocol (often combined with Hash) has become a secure enough standard to protect against an attack conducted without the necessary resources (nothing is inviolable, it just takes too long and must really be worth it).

Protect our data from brute force attacks.

There is no way to fully protect yourself, but someone is unlikely to turn against us, mere mortals, high-level brute force attacks. Therefore, there is no need to worry too much about suffering this type of complex cyber attack. However, it is important to keep encrypted data safe by trying not to let anyone access it use secure, self-generated passwords almost randomly, as seen in our guide generate a strong password for all websites. To a secure password, we can add a more difficult authentication system to crack like the Two Way Authenticator, two-factor authentication: even if the cracker guesses the password, he cannot access our account without a code generated on our phone, as seen in our guides Sites/apps where you can activate two-step password verification e Best apps to generate OTP, for secure access to sites.

The problem is rather that of defending oneself from so-called social engineering attacks to steal personal data and cheat that is not based so much on technique as on ingenuity and cunning; for example, never open Email messages that ask to access our bank account via the internet to secure it, to confirm or block a suspicious transaction or to approve new rules.

Conclusions

A brute force attack is not a walk in the park and we will hardly become a victim of this type of attack: obviously, we always try to use up-to-date encryption protocols, we use complex passwords that are difficult to find in a dictionary and we activate all the security systems offered by a site (such as two-factor authentication), so as to give any Sunday hacker a hard time and prevent access to our services.

If you have a hard time remembering randomly generated passwords, we recommend that you read our guide How to create and manage web account passwords.
If, on the other hand, we are afraid that the attack on our computer was made by viruses or malware, we recommend that you read our guide Best Anti-malware to find even hidden spyware.

LEAVE A REPLY

Please enter your comment!
Please enter your name here