Brute force and dictionary attacks: A guide for IT leaders
December 17, 2018
Brute force and dictionary attacks can threaten encrypted databases, password-protected documents, and other secure data, putting corporate assets at great risk. This ebook explains how the attacks work and how you can protect your systems against them.
From the ebook:
What is a brute force attack?
Brute force attacks involve repeated login attempts using every possible letter, number, and character combination to guess a password.
An attacker using brute force is typically trying to guess one of three things: a user or an administrator password, a password hash key, or an encryption key. Guessing a short password can be relatively simple, but that isn’t necessarily the case for longer password or encryption keys—the difficulty of brute force attacks grows exponentially the longer the password or key is.
The most basic form of brute force attack is an exhaustive key search, which is exactly what it sounds like: trying every possible password solution (lowercase letters, capital letters, numbers, and special characters) character by character until a solution is found.
Other brute force methods attempt to narrow the field of possible passwords by using a dictionary of terms (which is covered in more detail below), a rainbow table of precomputed password hashes, or rules based on usernames or other characteristics known about the account being targeted.
Whichever method an attacker chooses, the processing power needed to perform a brute force attack can be intense, especially when faced with modern encryption techniques. To solve that problem, attackers have turned to specialized hardware that looks a lot like a cryptocurrency mining rig.