What Is A Brute Force Attack?

by Maaz Shah  February 20, 2015

In the dictionary, brute means “a savagely violent man or animal.”

Therefore, if I say your server is under a brute force attack, you’ll think: “Oh, it means a full army of violent men are going to attack.”

Well, in essence, it is almost the same; however, there is no army.

Brute Force Attack

So, what is a Brute Force Attack then?

A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected). It tries various combinations of usernames and passwords again and again until it gets in. This repetitive action is like an army attacking a fort.

Now, you’ll think: “Wow that’s easy, I can do that too.”

You can try it out for sure!

Usually, every common ID (for e.g. “admin”) has a password. All you need to do is try to guess the password. Let’s say if it’s a 2-digit-pin, you have 10 numeric digits from 0 to 9. This means there are 100 possibilities. You can figure this out with pen and paper like Mr. Bean who tried to find correct last two digits of the phone number of the lost kid’s father in the movie, Mr. Bean’s Holiday.

But, the truth is that no password in the world consists of only 2 characters. Even, the pin numbers (a sort of password) used on mobile phones or in a bank consist of minimum 4 characters.

And, on the internet, 8 is generally the standard number for shortest length of a password. Furthermore, complexity is added as alphabets are added within a password to make it more secure. By the way, alphabets can be used in both UPPER and lower cases, thus making a password case sensitive.

Let’s say if we have an alphanumeric 8-character password, how many possible combinations could be made? There are 26 alphabets in English. Double them for both UPPER and lower cases and the count settles on 26+26 = 52.

Then we add the numeric digits: 52+10 = 62

So, we have 62 characters in total.

For 8-character-password, it will be 628 which will make 2.1834011×1014 possible combinations.

If we attempt 218 trillion combinations at one try per second, it would take 218 trillion seconds or 3.6 trillion minutes. To put it simply, just around 7 million years would be required to crack the password with the final combination. Surely, it can take less, but 7 million years is the maximum time limit to crack an alphanumeric 8-character password.

Well, you ain’t gonna live that long.

Then, how it can happen?

Well, if you are interested in cracking passwords, you will have to use computers. To do that, you need to write some simple lines of code. Such programming skills are basic to any coder.

Now, suppose that you have developed a password breaking program that tries 1,000 combinations per second. The time reduces to 7 thousand years.

Not possible!

Well, you need a supercomputer. So, let’s say you get a supercomputer that can try 1×109 attempts per second. In just 22 seconds, all 218 trillions attempts will be tested. (Hopefully, you’ll be inside the account, but if the password is 9 characters long, you’ll have to wait for a few more moments.)

Computing resources of this kind are not available to common people. However, password hackers are not common people. They can collect computing resources by different means, for e.g. by developing a powerful computing engine via software, etc.

Furthermore, the calculation above is for all the possible combinations of an 8-character-password. But, what if your password is the 10th combination or the 100th combination? This is why it is essential to have additional layers of security in order to detect and deflect any password breaching attempt.

That’s scary! What to do now?

There are many tools available for securing different applications which will deny a user after a predefined number of attempts.

For example, for SSH we can use Fail2ban or Deny hosts. These programs will deny the IP address after a few wrong attempts. These tools do a good job. However, there is a twist to all this.

Recently, an exponential increase in brute force attacks has been observed. These attacks emerge from multiple countries around the world and they are getting more sophisticated with each passing day. Therefore, we should all try to be vigilant.

Can I prevent it?

Yes, you can take some precautionary measures:

  • Create a longer password. Longer passwords are harder to break.
  • Your password should have both UPPERCASE and lowercase alphabets, numbers, and special characters. This way, you’ll be able to delay the process of cracking.

Plus, though not very related, you should have different passwords for different accounts. Just like two locks can’t have the same key, two accounts should not have the same password.

Am I safe on Cloudways?

Yes. At Cloudways, we stay on our toes when it comes to server security. Our security system is capable of identifying brute force attacks and banning IPs being used in such attacks. Keeping servers managed on our platform is one of our main priorities.

During the past few months, we have patched servers for all the discovered security shortfalls, including popular ones like Heartbleed and GHOST.

Therefore, we are always at work to protect our Cloudways Platform and the servers hosted on it.

Start Creating Web Apps on Managed Cloud Servers Now!

Easy Web App Deployment for Agencies, Developers and E-Commerce Industry

About Maaz Shah

Maaz Shah works as System Engineer for Cloudways. His days are spent in tackling technical troubles.

Stay Connected:

You Might Also Like...