In this blog post the reader will come across various information about Brute Force attacks. Simply the Brute Force attack is an action performed to gain the password of a selected victim. I have chosen this topic because I find attacks part of the daily life – people never know when they will occur, so that they must know about them in order to prevent from them. I think that this topic is highly relevant to the IT security, because it is a violent action against people’s security (IT). This action might be taken for breaking the network security (and more specified – people’s passwords) to bring the performer with a lot of benefits.
The brute force attack, also called exhaustive key search is a part of the cryptography and it is a strategy of action that can be taken against any encrypted data. The brute force attack provides the attacker with the possibility to take advantage of any weakness in an encryption system. In fact this attack is particular strategy used to break crafted passwords, by systematically checking of all possible keys until the correct (necessary) key is found. In the worst case, this would involve traversing the entire search space.
The performing of a brute force attack mostly depends on the key length used in the encryption, meaning that, the longer the key is – it is more difficult to crack a password and with respect to that, the shorter the key is – it is easier to crack a password. To support the said above I will give an example. Trying to perform a brute force attack on a 2 character long password, consisting of numbers and characters, which is case sensitive, will result in a potential of 3,844 different guesses of passwords (where only 1 is the right one). The reason for that number of passwords is:
- First character: lower case letters (26) + upper case letters (26) + numbers (10) = 62
- Second character: same = 62
- Total permutations = 62*62 = 3,844
Logically, the longer the password is, the more guesses and time would be needed to perform a successful brute force attack. A way of making the brute force attacks less effective is by making the data harder to be understood (confusing), so that when the hacker has cracked the password, he will have difficulties to recognize the data.
There are some encryptions which cannot be defeated by brute force attack, because of their mathematical properties. The one-time pad cryptography is an example. There every cleartext bit has a corresponding key bit. The one-time pads are protected by their ability to generate random sequences of key bits. The brute force attack may succeed in decoding a bit, but it is not possible to distinguish it from the following ones. After getting all the answers, there is no way to know which one is the correct one.
The administrators of databases and directories usually take countermeasures against brute force attacks. A common way of doing that is by limiting the number of attempts that a password can be tried, by introducing time delays between successive attempts and locking accounts out after unsuccessful logon attempts. Also the website administrators may restrict one IP address to have few password attempts against account on the site.