Disclaimer: While we acknowledge that neither Brad Pitt nor George Clooney's characters in "Oceans 11" were, in fact, password-guessing computer systems, reference to their actions is for the sake of illustration.
There are a variety of immensely sophisticated ways to compromise modern encryption systems protecting your company data. These are the equivalent of George Clooney and Brad Pitt's characters in 2001's "Ocean's 11" as they attempt to slip their way into the vaults of the Bellagio, the Mirage, and MGM Grand hotels in Las Vegas, Nevada. For as much cunning and sleight of hand they attempt, there could have also been a less clever version of the film—one where the main characters stand at "EMPLOYEES ONLY" doors, punching in every possible code on their minds until the locks finally unlatch. This latter, less sophisticated method of entry would be labeled a "brute force attack."
A Brute Force Attack Defined
During a brute force attack, a cybersecurity threat attempts to gain access to a secure system by guessing a password. This is typically performed by a computer system that automatically inputs a variety of password combinations until one finally works. There are many styles of brute force attacks.
Brute Force Attack Styles
Dictionary Attack
A common, yet popular technique of brute force attack is called a dictionary attack. The cyber threat in this scenario uses a computer program that runs through a "dictionary" of popular password combinations to guess the correct one. If you've ever thought you were clever by spelling "password" with a zero ("passw0rd"), this method will crack your login information almost immediately. This scenario includes the tuxedoed pair trying "password" and every possible deviation until the door unlocks.
Exhaustive Key Search Attacks
Exhaustive key search attacks basically throw every possible combination against the wall to see what sticks. These are much less effective due to cybersecurity systems catching wind of their attempts before a successful password is attained. This would be the equivalent of George Clooney mashing his elbows into the keypad for months on end and hoping the security guards don't notice.
Credential Recycling Attacks
Credential recycling attacks rely on the information gathered from other successful attacks. This may include slight variations of usernames and passwords attempted until successful. This scenario would consist of Brad Pitt getting ideas for passwords on the phone from a buddy who had successfully hacked this door in the past.
Why Brute Force Attacks Are Still Successful
Weak Passwords
Brute force attacks rely on inadequate password protocols to be successful. Short, weak passwords are responsible for a large percentage of data breaches due to brute force attacks.
Dated Threat Detection Systems
Just like Brad Pitt and George Clooney's characters would have been quickly nabbed after security guards noticed two guys punching in dozens of wrong passwords at the Personnel Only doors at the Bellagio, so too are many brute force attacks foiled. Unfortunately, older systems, like elderly security guards, may not be so quick to notice suspicious activity. A system that allows for an excessive amount of login attempts gives cyberthreat systems a higher chance at login success. Systems that lack additional required verification methods, such as two-factor authentification or CAPTCHA verification, may also be let malicious threats into your system.
How to Protect Against Brute Force Attacks
Strengthen Your Required Password Protocol
Your company system is only as secure as its weakest password. Protect against brute force attacks by mandating robust password criteria.
Control Login Attempts
There should be a limited number of login attempts possible for a specific username before a password reset is required.
Require Secondary Authentification
Your system should make a "user" prove they are human with a CAPTCHA requirement piece. Two-factor authentication should also be required in the form of email and/or phone verification codes.
Network Security Checks
By enlisting a certified cybersecurity specialist to conduct a third-party audit and penetration test of your system, you can likely discover and remedy your system's weaknesses.