Cybercriminals use many techniques to break the security for taking control over individuals or company’s private data. One of such trends are brute-force attacks.Through them, cybercriminals take possession of the associated user data and password of accounts to freely use them.
Brute-force attack are simple: They combine software, trial and error, and the application of an algorithm of succession of words, characters and digits. Through these variables, hackers come up with passwords more times than we think. Let’s see how they do it.
How effective are Brute-Force Attacks?
The truth is that carrying out a brute force attack requires a lot of talent and tenacity. In other words, not even the best hackers can effectively predict how long a successful brute-force attack may take.
This is to say, hackers can take from a few minutes to years to crack a code through brute-force attacks; and doing so will always depend on the length and complexity of the password they want to break.
For this reason, the general recommendation for final user is creating passwords of considerable length, that is; at least 8 characters that include uppercase, lowercase, special characters and digits.
However, these measures by themselves do not fully guarantee the integrity of the data to successfully access to your accounts. In other words, brute-force attacks have more tentacles and strategies that you should take care of.
Brute-force Attacks, Dictionary Attacks and Rainbow Table Attacks
Dictionary Attacks
On the one hand, we find dictionary attacks. Its based upon a simple logic: It consists of trying all the words of the dictionary.
Although it seems like a lot of work to do, the truth is that it is usually more effective than a brute-force attack because many users use a word in their native language so to remember their passwords more easily.
Rainbow Table Attack
On the other hand, we find the table rainbow attacks. They start from the hash value to reproduce the steps within the string code until the password is obtained. However, many times the value is not in the main table; so hackers reproduce it by reducing the value with the same function with which the chain was created.
This same procedure is repeated until the summary value is reached at a final point. Now, it does not mean that the password has been already found, but the string of characters. This will end up by revealing the plain text that composes the password.
They are called Rainbow Tables because hackers assign a different color to each reduction so to avoid confusion. At the end, there are so many reductions with their respective colors, that it ends up looking like a rainbow.
Can the 3 types of attack converge?
Yes, they definitely can. The dictionary attack strategy (focused on word detection); and that of rainbow tables attacks (which employ groups of contiguous sequences) can complement brute-force attacks; and make the basic recommendations insufficient for the creation of passwords.
This happens especially when we create passwords on the web, because we are subjected to what the service provider has established. Especially due to these generally set maximum parameters of 10 characters; in addition to a limited number of numbers and characters that make our passwords more vulnerable.
In summary, such parameters are transparent and hackers can perfectly adjust their software with these features to speed up the process of code breaking.
However, online services have two factors that can help us to contrarest brute-force attacks by themselves, or in combination with the other two modalities above described above.
Protection in the password mechanisms against Brute-force Attacks
This protection hinders brute force attacks. For example, if the user enters a wrong password, he should wait a short time before trying again.
This measure is exponential, that means, the waiting time increases as failed attempts repeat. Another drastic measure is to block the account at X number of failed attempts, and raising an alarm via inbox to the associated account.
Multi Factor Authentication
Many suppliers offer this technique as an optional service. With this option, final users increase the level of complexity of protection against brute-force attacks because it disposes both, user and password be authenticated; plus another additional element such as answering a secret question; adding a pin or captcha. This prevents the system from brute-force attacks.
To prevent brute-force attacks, corporate IT departments should ensure that passwords encryption of 256-bit length, if possible. It’s simple: The greater is the number of bits used for encryption, the more complex it becomes deciphering passwords.
Recommendations for end users
The best recommendation for end users is using 10 characters passwords that contain a combination of symbols and numbers. With this the degree of difficulty, you increase the rate of match to a number of 171.3 trillion odds.
If the site does not allow long passwords, you should choose complex combination passwords instead of simple words. Avoid common passwords (“123456”, “abcdef”, “000000”); and change them frequently.
Also, it’s highly recommended that you include business security software to protect each one of your communications, and enhance the protection of your passwords. Check here the options we have for you.
