What Is a Brute-Force Attack and How to Prevent It
We all need to solve CAPTCHAs now and then, but have you ever thought what the purpose of these sometimes annoying tests is? And what does CAPTCHA mean anyway? It stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and one of its main goals is to prevent successful brute-force attacks. Time for some more questions.
Table of Contents
What is a brute-force attack?
Think of a combination lock. You don't know the four-digit code that unlocks it, so you just try to guess it. You start with "0000" and if it doesn't work you try "0001", "0002", "0003", etc. until you reach the combination that opens the lock. This, in simple terms, is a brute-force attack, and the same principle can be applied to passwords.
Of course, it's not as easy as it sounds. Typically, passwords consist of more than four characters, and there are usually letters in them which, as we'll find out in a minute, means that the number of possible combinations is much higher. All in all, a brute-force attack in its traditional form is not a brilliantly effective way of breaking a password. That's why, an evolution of the brute-force attack called a dictionary attack is much more common nowadays.
What is a dictionary attack?
In a dictionary attack, hackers are still trying to guess the password. The difference is that in a brute-force attempt, they are shooting in the dark while here, they are making educated guesses. This attack is made possible by the fact that users are simply not very good with passwords.
Memorizing multiple complex passwords is hard which is why many people resort to protecting their accounts with simple words like "password" or keyboard patterns like "qwerty". By putting together long lists of commonly used passwords, hackers are much more likely to guess the password with far fewer tries.
Offline and online attacks
Both the traditional brute-force attack and the dictionary variety can be performed online or offline. In an online attack, the hackers try to guess the password at the login page. When they're offline, they have breached the service provider and have downloaded the database that contains your hashed password. After locally recreating the hashing mechanism, they try to guess the password without connecting to the login page.
Where does CAPTCHA come into all this?
It's a mechanism for stopping online brute-force and dictionary attacks. As you might have guessed already, the attackers don't sit in front of a keyboard trying out different passwords until "Access Granted" appears on the screen. They use automated tools and software, and as sophisticated as these tools are, they are not capable of solving a good CAPTCHA test. There are usually other precautions like limits on the number of failed login attempts and blocking IPs that generate suspicious traffic, but a CAPTCHA test is the simplest (though not completely foolproof) solution.
In an offline attack, however, a CAPTCHA test is completely irrelevant. That's where you need to step in.
Protecting yourself against brute-force attacks
The only way to ensure that your password isn't susceptible to a dictionary attack is to make sure that it's not in the hackers' dictionaries. Any keyboard patterns should be out of the question, even if you think that they're not easy to guess. If the password is a meaningful word, you could be vulnerable as well. Don't forget that in an offline attack, the hackers don't need to worry about getting caught or running out of login attempts, so they can theoretically load a language's entire vocabulary and wait for the right word to come up. A random string of characters that makes no sense will not only protect you from dictionary attacks, it will also make brute-force attempts significantly harder.
Depending on the length and type of characters used, there's a finite number of possible combinations for every single password. For a four-character numeric code, for example, you have a total of 10 thousand possible combinations. If you add lowercase letters to the equation, however, you immediately push the number up to nearly 1.7 million. Add uppercase letters, and you're looking at close to 14.8 million combinations.
It may sound like a lot, but modern password cracking tools will go through all these combinations in seconds which is why, in addition to recommending the use of as wide a range of characters as possible, experts also say that a good password is at least 8 characters long.
Some of you may be reading this thinking "easier said than done". Well, we reckon that thwarting brute-force attempts has never been simpler. With Cyclonis Password Manager, creating and storing multiple strong passwords is a breeze. The automatic password generator will create random passwords that consist of numbers, letters, and special characters, and it's up to you to decide how long you want them to be. You don't have to worry about remembering them, either. Cyclonis Password Manager will put all your passwords in an encrypted vault which you will be able to access via your master password.