A brute force attack is a method that attempts to figure out passwords or keys through automated, random trial and error. Long keys and complex passwords offer protection against the brute force method.
What is a brute force attack?
Brute force is a popular attack method to figure out passwords or decrypt data. It uses “brute force” by randomly trying different strings of letters or characters in an automated manner. The more combinations tested, the higher the chance of success.
In reality, any mystery can be solved by trial,l and error. However, the time required for this increases with the complexity of the secret. Modern, powerful computer systems are capable of calculating many possible combinations within a short time.
Using complex passwords, long keys, and limiting the number of possible failed login attempts can reduce the chances of success of brute force attacks.
Brute force can be used for legal or illegal purposes. Legal applications include testing the security of IT systems or networks. Hackers use brute force attacks illegally to steal passwords, take over systems or gain access to confidential data.
In some cases, the brute force method also uses dictionaries that contain typical passwords such as “administrator” or “12345678” as a supplement. This is called a dictionary attack and increases the attack’s chances of success and decreases the time spent trying completely random strings.
Brute force attack on passwords and possible protection measures
One application example for brute force attacks is cracking passwords. Passwords are usually not stored in plain text on systems but as hash values. Since the password cannot be calculated backward from the hash value, the brute force method determines the hash values belonging to the randomly selected passwords until one hash value matches the stored hash value. In this case, the password is found.
Lists with hash values of frequently used passwords are also often used. These are called Rainbow Tables. One possible protective measure is to select long passwords with numbers, special characters, and upper/lower case letters without a reference to existing words.
As the complexity of the password increases, so does the number of computational operations required for the brute force attack. Brute force attacks on login masks are made more difficult by limiting unsuccessful password entries.
Brute force attack on encrypted data and possible protection measures
The brute force method can be used to attack encrypted data. Again, randomly chosen keys are tried until a match is found. The decisive factor for the attack’s chances of success is the length of the key used. Modern encryption algorithms use key lengths of 128 or 256 bits, for example, at which the computational effort required to find the key becomes too great in terms of time and cost.
The computational effort increases exponentially with the key length. Using computing power available today, times of several thousand years are required to find the correct combination for particularly long keys. However, as technological progress continues to increase the computing power of systems, it cannot be ruled out that encryptions considered secure today may be decrypted by the brute force method in the future.