Brute force attacks: when passwords are served on a silver platter

Even though Apple has never officially confirmed it, it can be assumed that a simple security gap in its online storage service iCloud was the cause of all the commotion for the gigantic corporation back in 2014. The assumption continues that there was a lack of brute force protection, which led to the theft of various celebrities’ private photos. Protection measures were quickly implemented after the attack. The protection mechanism now in place means that users have a maximum of ten attempts to enter their password before the log-in is disabled and the account owner is notified. Before the hacker scandal there was no limit regarding how many times a password could be entered - so it was just a matter of time before a well-planned brute force attack took place.

What actually is brute force?

Brute force refers to a method of problem solving in the areas of computer science, cryptology, and game theory. The brute force method owes its name to the fact that it is based on trying out as many solutions as possible, which is why the search is exhaustive. It is used when no better algorithms are available. Hackers that use these techniques are especially keen to crack passwords and gain access to personal data. For this purpose, they use software with a simple algorithm that tries out lots of different possibilities in quick succession, comprising of characters, spaces, and letters up to a maximum defined length.

The shorter the password, the quicker it will be cracked by brute force methods. This is why longer passwords comprising of different characters are generally recommended and it’s also advisable to use encryption systems. As the amount of computing power required to perform such brute force attacks becomes more and more readily available, this means more checks can be performed in a shorter period of time, making comprehensive protection against brute force attacks of the utmost importance.

Why you should take brute force attacks seriously

Considering the primitiveness of the method, it seems obvious that appropriate protective measures need to be taken, but this isn’t necessarily the case. Every computer that is connected to the internet is potentially at risk. Once a hacker has worked their way into the system (which happens quicker than you’d expect), your passwords aren’t far out of reach. Most operating systems run files or databases in which user IDs and passwords are stored. For Windows systems, the user passwords are, for example, in the .sam files, and for unixoid systems, they can be found in the .passwd file or .shadow file.

Passwords in these files aren’t stored in plain text, they are encrypted using cryptographic algorithms. Even so, an attacker can still gain access to files if they aren’t sufficiently protected against unauthorised access. The hacker can create a copy of the file and then perform extensive brute force attacks on it without having to maintain a system connection. In principle, there are now only three variables which determine how long it will take until the attack is successful:

  • The duration of a single verification step
  • The length of a password
  • The complexity of a password

The duration of a single verification step, i.e. trying out a possible password, depends on the processing power that is available to the attacker. The more power that’s available, the faster an attempt can be made, and then the next one started. The length and complexity logically increase the number of possible combinations that can be used to create a password and therefore the number of possibilities that must be tested during the brute force attack. This is how the length and complexity effects how quickly they are cracked:

Character set 26 characters 72 characters
Character type Lower case Lower and upper case, special characters, numbers
Maximum password length 8 characters 8 characters
Possible combinations Approx. 209 billion Approx. 722 trillion
Processing power Approx. 100 million hash values per second Approx. 100 million hash values per second
Duration of the brute force verification Approx. 35 minutes Approx. 83 days

The table shows that it only takes a modern PC 35 minutes to test all possible character combinations with a simple password, which only has a character set of 26 characters. If you expand the combination to 72 characters, the brute force check would need around 83 days with the same computing power. This is not a cause for complacency, however: by trying out lists of character combinations (dictionary attack) or using rainbow tables (list of contiguous password combinations), attackers can shorten the time it take to make a brute force attack.

Protection against brute force attacks – how to cover your back

It doesn’t matter whether a brute force attack targets the central password file in the system, or, in the case of iCloud, the attacker obtained the Apple IDs of many users, these events prove how important it is to protect yourself against this obtrusive decryption method. When it comes to private system passwords, you can take matters into your own hands. Use combinations that consist of many different character types. In the best case, use both lower case and upper case letters, special characters, and numbers in your passwords. The more characters the password contains, the harder it is to crack.

The situation gets a little bit trickier when creating passwords for online services and the like. Here you are bound to the respective provider’s specifications. Typically, passwords have a maximum length of only eight characters and are often limited to letters and numbers – which doesn’t exactly fill you with confidence. If this is the case, you should definitely find out which precautions the website operators take in order to protect themselves against brute force attacks. If you are the operator of a web service with a log-in mechanism, this is your responsibility. There are two possible approaches:

  • Secure the password mechanism
  • Establish multi-factor authentication

Securing the password mechanism should actually be standard for any log-in, but as the iCloud scandal shows, this is not always the case. The point of the protection mechanism is to make the work of brute force software more difficult. This means that after a password has been entered incorrectly a certain number of times, no more attempts can be made and the entry feature is disabled. Furthermore, it is possible to increase the amount of time after every further attempt  made to enter the password. You can also go a step further – like Apple finally did – and block the entire user account after a certain number of log-in attempts.

Many providers offer multi-factor authentication as an option. It makes the log-in process somewhat more complicated since a further component is needed in addition to the password. This could be answering a secret question, entering a PIN, or answering a captcha. The latter are small tests to determine whether the log-in process is being carried out by an actual person or – such is the case with brute force software – a robot.

United against brute force attacks

In addition to the measures presented, there are a few tricks for preventing brute force attacks. Hacker software usually works with different recognition patterns so it becomes more complicated if the standard error messages are not sent back to the browser directly, but instead are sent to an external system, such as a different website. Using alternative names for entry fields or the text, which are then restored after a log-in attempt, can also cause problems for some hacker tools. In any case, you will increase the security of your web project or passwords if you use one or more of the mentioned brute force protection measures.

For some platforms or applications, there are also specific extensions or tools against brute force attacks. The add-on Jetpack, which is designed to make it easier to manage WordPress sites, has an in-builtmoduleto prevent dangerous attacks based on an IP blacklist. The IP addresses collected in this list are those that have been linked to all known brute force attacks on WordPress pages up to that date.


Wait! We’ve got something for you!
Get your .co.uk domain now, the first year is free.

Enter the web address of your choice in the search bar to check its availability.
12 month for £0/year
then £10/year