Tuesday, January 19, 2010

The Bruteforce Attack

In computers and computer security, the one thing protecting data is the computer password. And where there are passwords, there are people who want access to whatever it is they protect. One of the most popular methods used to obtain a computer password is the bruteforce attack. This post will thoroughly explain what the bruteforce attack is and how to defend your computer security system from it.

Aside from guessing a password, the bruteforce attack is the most popular method used to uncover a password. The bruteforce attack is performed by simply testing every single possible password. By doing so, the correct password is bound to be discovered eventually.

The problem with the bruteforce attack is the impractical amount of time it takes to find the correct password. If the password you attempt to crack is rather large, it can take nearly a century to try every possible password combination until you try the correct one. The solution is to bruteforce the password in different directions. Thus, for a hacker to successfully uncover a password through a bruteforce attack in a significantly shorter amount of time, he would have to have run one bruteforcer program trying every password in a sequential ascending order from the first possible password; Run a second bruteforcer program trying every password in a descending sequential order from the last possible password; And lastly run as many bruteforcer programs as possible which randomly try password combinations in between the sequentially first and last possible password. Hopefully, a hacker can then uncover a password in more decent amount of time (But it is still probably going to be a very long amount of time overall).

A subsidiary of the bruteforce attack that I feel inclined to mention is the dictionary attack. The dictionary attack takes a list of words which the hacker believes are liable to be part of the password being attacked. The dictionary attack program uses an algorithm to test each word individually, each word with numbers inserted on the ends of the word, and combinations of putting words together, and putting numbers on the end of word combinations. Dictionary attacks are generally hit-or-miss when compared to the generic style of a bruteforce attack performed by hacker as described in the paragraph above this one. Also as described in the paragraph above, the solution to more quickly obtaining a password via bruteforcing is to run as many bruteforcers as possible; In this case, running as many different dictionary lists to attack passwords with at once as possible.

Defending your computer security system from bruteforce attacks is really pretty simple. The easiest method is to make passwords case sensitive. Just by doing this, you can take the time it takes to successfully bruteforce a password and raise that to a power of 26 (this does not hold true between varying units of time). The second way to defend against bruteforce attacks is to only let a user incorrectly enter in a password 5 times a day. Since it usually takes thousands of failed passwords before successfully uncovering a passwords, this simple addition to your security system renders bruteforcing useless. Thirdly, you should require your users to have passwords that are at least eight characters in length. And lastly, you should encourage your users to change their password once a year.

All together, the bruteforce attack actually isn't as great as people make it sound like it is. Yes, it has infamously cracked some important passwords, but overall, you're better off practicing Kevin Mitnick's Art of Deception (AKA Social Engineering) to crack a password.


  1. "Just by doing this, you can take the time it takes to successfully bruteforce a password and raise that to a power of 26"

    Not entirely true. What is true is that the amount of different passwords is raised to a power of 26. You can't really raise time, since time is not dimensionless (it has a unit (e.g. seconds, minutes, years)). If you raise time you also raise it's unit, which means that if you try to raise 4 seconds to the power 2, the result would be 16 squre-seconds (=16 seconds^2) and so your result would have the wrong unit, since 16 square-seconds doesn't really tell you anything useful.
    You could see why raising non-dimensionless numbers fails through noting the following:

    120 seconds = 2 minutes
    120^2 = 14400
    14000 seconds = 240 minutes
    4 minutes != 140000 seconds = 240 minutes

    What this means is that you get a different results depending on what unit you measure time in.

  2. Great post anyway, I forgot to say.
    Sorry for double-posting.

  3. When I think about it you don't even raise the amount of different passwords to a power 26. Assuming you doesn't use other charchters other than letters, you multiply the amount of different passwords by 2 raised to the power 26.

    I cannot guarantee that this information is correct but I do think it is very much. (Lol, that's bad english.)

    Sorry for triple-posting, lol.

  4. I am really sorry for posting 4 times, but in the last post I meant 2 raised to the power L, where L is the password lenght.

  5. Thanks for all of the interesting information (and don't worry about quad posting). I'll be sure to look into it to make sure I get that sentence corrrect.

    Will comment later to let you know :)

  6. It still isn't quite true. You can never raise anything which isn't dimensionless (is a pure number) and expect to get the result mesured in the same units as the thing being raised is mesured in. Look at my 3:rd and 4:th post to see how I meant you have to write.

    Example: 3 minutes to the power 2 = 9 square-minutes.

    And you can't say: "Dinner is ready in 9 square-minutes!".