How To Bolster Your Cybersecurity Against Brute Force Attacks

17 Nov 2022


Suffering a security breach is not a matter of if but when. This is more relevant now, with even corporate tech giants falling victim to cyber incidents left and right in recent times. And yet many are still under the impression that they are either protected enough to prevent such attacks or that it will not happen to them.

According to the 2020 Data Breach Investigations Report by Verizon, brute force attacks remain the primary attack vector when it comes to hacking passwords. It is among the leading causes of over 80 per cent of breaches, apart from lost or stolen credentials. In short, all online users are under constant threat of security breaches. Brute force attacks and dictionary attacks continue to be the leading cause of concern where bad actors gain access to unauthorised data and personal information.

Understanding brute force attacks and their popularity

A brute force attack is a cybersecurity attack wherein hackers “brute force” their way into an account. Attackers leverage software that helps automate the testing process, given the large number of possible password combinations required. It involves numerous guess attempts to log in with different passwords until finding the right one that grants access.

Every organisation today enforces rules for user passwords which hackers can use as somewhat of a guide or criteria for their generated passwords for higher odds of success. These attacks are often successful because users settle with common variations of a few passwords. One way to mitigate this is by increasing the number of possible combinations. For instance, the widely common 4-digit numeric PIN only has 10,000 possible combinations, while a standard 8-character alphanumeric password has over 2.8 trillion possible combinations.

Brute-force attacks continue to be popular today because they do not just enter random combinations of strings but take various systemic approaches that increase the likelihood of success. They are also widespread because attackers can log in freely upon securing the correct password for an account with no extra exploitation involved. Furthermore, they even possibly use the same password for other sites and applications as many users tend to use one password but with slight variations to avoid forgetting them.

Best practices against brute force attacks

1. Require a captcha

Captchas are challenge-response tests that can be triggered by multiple failed login attempts to impede brute-force attacks. It is designed to determine whether a real human user is behind the failed login attempts or automated software. Besides identifying automated attempts, they also significantly hamper brute-force attempts.

2. Impose login attempt limits

Login attempt limits are one of if not the most effective way to combat brute force attacks as it locks down an account after several consecutive failed attempts at logging in. Some systems also impose additional measures on top of an account lockdown, such as with the case of iPhones, where they can be set to wipe all user data after reaching ten failed attempts.

3. Extend login time

Systems can extend the time to log in without significantly inconveniencing authorised users. For instance, a one-second delay will not bother anyone, but it can pose a tremendous hurdle for hackers using brute force attacks. This is particularly effective when attackers cannot do multiple attacks simultaneously, a method known as parallel attacks.

Conclusion

Security breaches have ramped up in the last several years due to many contributing factors, the main one being the global shift to remote working, which is riddled with many security gaps. Brute force attacks are still effective despite their straightforwardness and should not be neglected regarding cybersecurity improvements.

To ensure your security posture is as robust as possible at all times, reach out to GROUP8 today to secure industry-leading offensive-inspired cybersecurity solutions that keep you one step ahead of bad actors. Our renowned ecosystem of Singapore cybersecurity services includes everything your organisation may need to bolster its defences, from incident response and vulnerability research to web and network security and CREST-certified penetration tests. Contact us at hello@group8.co to learn more.