Password attacks spiked in 2023, according to Microsoft’s recent digital defence report. It stated that after a notable increase in the number of password-based attacks per month in October 2022, that number increased ten-fold in 2023 compared to the same time the previous year. It showed 11,000 attacks per second in April 2023.
In 2020, the internet security company Malwarebytes noticed a rise in compromised servers used to run brute force tools. This corresponded to a rise in the number of RDP ports exposed to the internet. This grew from about 3 million in January 2020 to over 4.5 million in March of the same year, due to the COVID-19 pandemic. Microsoft responded to this threat by adding default protection against RDP brute force attacks in Windows 11.
Most online login forms have lockout mechanisms incorporated to prevent too many login attempts being made. However, some applications may require lockouts to be set manually, including systems running versions of Windows prior to 11. This also does not prevent attackers from downloading an offline copy of a password database and running password cracking attempts against it until the password is revealed. They can then use this to access the target system.
Machine learning-based AI password cracking tools, such as PassGAN, are also being increasingly developed to remove the manual efforts in password analysis and cracking passwords.
What is a brute force attack and how does it happen?
A brute force attack is where criminals use trial and error to guess username and password combinations (credentials) or encryption keys. The success rate of an attack increases when credentials are simple and easy to guess.
A brute force attack requires trial and error to guess the credentials, by testing every possible combination. The need to try numerous variations means that this type of attack is normally automated, relying on software tools. It increasingly uses artificial intelligence to rapidly try huge numbers of combinations in the fastest time.
Brute force attacks are a common and historic way for criminals to attempt to gain access to user information, devices, and systems, but attacks are becoming increasingly sophisticated.
The simplest form of attack involves the criminal attempting to logically guess the password, often by using easily researched information. For example, children’s or pet names and birthdays. Common passwords such as ‘123456’ or ‘password’ are easily breached by this method. A hybrid attack combines common words and random characters, such as ‘United123!’ in the same way.
Attackers often use tools to test huge lists of login credentials, frequently with a dictionary attack method. They combine a traditional dictionary of words with common phrases or known passwords, systematically trying them to gain unauthorised access to systems.
A rainbow search builds a table of all possible values and then uses these to try to find a suitable match against the original value. The rainbow table works like a large dictionary, but it is optimised for hashes and passwords to ensure fast look-up speeds. Attackers steal password hashes (the scrambled, unreadable version of the actual password) which they then compare to the rainbow table. If successful, the table will provide the string relating to the hash.
When a criminal has successfully identified the password, they may use or sell these credentials on to other criminals. They will test them on multiple sites in a credential stuffing attack. This is surprisingly effective, as it is estimated that up to 65% of people reuse the same password on multiple sites.
If the victim is a person, rather than an organisation, the criminal may go as far as stealing their identity. This may then allow them to access bank accounts or commit other acts of fraud.
Fraud and monetary gain are still the primary motivators for attacking organisations. The sale of stolen personal information is common. If a hacker also accesses the organisation’s website, they may place spam ads to gain commission, reroute internet traffic or place malicious software on a site to commit further cybercrime offences.
What might help reduce risks from brute force attacks?
The general good practice guidance applies, but since brute force attacks specifically target access credentials, you should also take the following actions to protect yourself from these types of attacks:
- Use two-step or multi-factor authentication. Note that some options are more resilient to attacks than others (eg SMS based ones are exposed to SIM swap attacks), so consider carefully which option to choose. Depending on the risk, you may decide to use hardware-based tokens.
- Use strong passwords, ideally using the ‘three random words’ approach.
- Avoid passwords which contain information about you which is easy to guess.
- Use unique passwords for different accounts and do not reuse passwords.
- Protect passwords at rest, eg by hashing and salting (adding extra random characters to the plaintext password, before hashing it) them, and in transit by using secure transport mechanisms.
- Consider the use of a password manager.
- Reduce reliance on passwords by considering single sign-on (SSO), hardware tokens and biometric options.
- Disable unused accounts.
- Limit logon attempts and set accounts to lock if too many wrong guesses are made of a password. NCSC recommend between five and 10 attempts.
- Consider configuring systems to have increased delays between successive login attempts (throttling).
- Consider using a CAPTCHA, a test to determine if a user is human rather than a bot, to mitigate against automated password guessing attempts.
Monitor for unusual or unexpected activity either from disabled or dormant accounts, or legitimate ones.
Further reading:
- Two-step authentication - NCSC
- Password managers - NCSC
- Three random words blog - NCSC
- Updated approach to passwords - NCSC
What are the likely future developments?
A low-cost attack tool which can crack the authentication fingerprint used on device lock screens has been developed.
To unlock a device with a password, an exact match to what is stored in the database is required for authentication. However, fingerprint authentication matching uses a reference threshold, so authentication only depends on an approximation of an image in the fingerprint database within the threshold parameters. Known as BrutePrint, it does require the criminal to have physical access to the device and set up additional hardware, including a microcontroller board. BrutePrint manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted.
This attack type exploits zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework. Using a database of fingerprints like leaked password databases, the time it took researchers to access the device was dependent on the number of authorised prints. The time varied between 40 minutes to 14 hours.
This type of attack raises questions about the implications of brute force attacks on underlying technology relied on for multi-factor authentication (MFA).
All brute force attacks require powerful computers to run a huge range of potential combinations as quickly as possible. As quantum computers are faster than conventional machines at this task, cyber security professionals and researchers have been considering how the future of quantum computing could pose a significant threat to cyber security.
Based on quantum physics, rather than standard electronics, quantum computers can lessen the time used to decrypt encrypted information. They could theoretically crack most current cryptographic methods used to transmit information over the internet. You should continue to keep your mitigation measures under review and consider what measures might be appropriate to future-proof your operations, considering technological developments.