Has your business faced any attack recently? Then you might have gone through some serious backdrop since some time.
The cyber world today is filled with several attacks and cyber bullies that are always in search of some new tricks to disturb your business. But here we are going to learn about the brute force attack.
Brute force attack is an activity in which an attempt is made to try various password combinations to break into any website in a repetitive manner. Mostly, hackers that use maliciously installed bots in other computers for enhancing the computing power needed, run this type of attack.
What a Brute Force Attack is?
You can say it’s a simple method of gaining access to a site or server (or any other thing that is encrypted). The repetitive action of trying various combinations of usernames and passwords is similar to the army attack on a fort.
After reading this, you might think that it’s such an easy task. But that’s not the case.
Generally, every common ID has a password set. The only thing a hacker requires to do is to guess the password. For this, the hacker uses an automated software which has the ability to run the combinations of numbers, letters and symbols repeatedly until it is statistically right. The time required to crack the password depends on how hard is the encryption on the data. For your information, it can even take years sometimes, if the encryption is difficult. Remember, brute force attacks can affect millions of accounts, resulting into ruining a business’s reputation.
Any password isn’t made only of 2 or 3 characters. Even the mobile phone and bank pins comprise of minimum 4 characters.
Additionally, an Internet has made the password length 8 characters, a standard number for the minimum length of a password. Note that the alphabets can be used in both upper and lower cases which makes the password case sensitive.
How a Brute Force Attack can happen?
If you are interested in cracking codes, you will need to use computers. Then you need to write down some simple lines of code. A professional coder already has such programming skills.
Suppose you have a password breaking program with you that tries 1000 combinations per second. Then the time required to crack the password will be 7 thousand years.
You can’t wait 7 thousand years to crack the password.
So, you need a supercomputer that can try 1×109 attempts per second. It will require just 22 seconds testing 218 trillion attempts. But common people can’t have such resources and this indicates the hacker isn’t someone like you and me. They can collect computing resources from different sources such as by developing a powerful computing engine via software and much more.
Moreover, the above calculation was only for a password length of 8-characters. However, if the password is the 10th or 100th combination, it isn’t very easy to crack and therefore, it is recommended to have additional layers of security for detecting and deflecting any password breaching attempt.
Working of a Brute Force Attack
Here are the steps an attacker follows for a brute force attack:
- First the attacker sets his target: either a login page (online) or an encrypted file that has been stolen (offline).
- A computer program that is configured for attempting the entry is used by the attackers by trying usernames along with millions of password combinations. (Note: The attacker can also attempt one password with different usernames).
- After the username and password combination is found to be correct, the attacker can access the secure data easily.
What’s the Motive?
Basically, the hacker wants to access the targeted website illegally and utilize it for either executing another kind of attack or stealing valuable data or simply shutting down the website. There can be long term goals of the attacker behind targeting the website without disturbing a single thing and leaving no traces behind. Therefore, it’s always better to scan your website frequently and follow the best practices for securing your WordPress site.
Scary, right? What can be done?
Several tools are available to secure different applications that deny a user after a particular number of attempts.
For example, in order to secure SSH you can use Deny hosts or Fail2ban. When a few wrong attempts are made from the IP address, it will be denied. These tools perform a good job but there is a twist to all this.
There has been an aggressive rise in the brute force attacks. The attacks are performed from various countries around the world and are getting highly complicated day by day. So, it’s important that you be alert.
How to Prevent the Brute Force Attack?
Here are the security measures you can take to prevent the brute force attack:
- Password Length.
- Password Complexity.
- Limit Login Attempts.
- Modifying .htaccess file.
- Using Captcha.
- Two Factor Authentication.
Password Length
Longer password is the first step towards preventing the brute force attack. Today, there are several websites that ask for a longer password of at least 8 – 16 characters.
Password Complexity:
Complex password is another important thing that you should take a note of. Users shouldn’t create passwords such as ‘password123456’ or ‘ilovemycountry’; rather the password should consist of uppercase as well as lowercase alphabets along with numbers and special characters. The more complex the password, the more time required to crack it.
Limit Login Attempts:
Limiting the login attempts on your website admin or any other admin panel is simple and powerful way to prevent the attack. For example, if there are five failed login attempts on your website, it should block that IP for some time for stopping further attempts being made.
Modifying .htaccess file:
In case, you are working on a WordPress website, you can also add few rules in the .htaccess file to further harden the security of your website. The main objective is to allow access to wp-admin to only particular IP addresses mentioned in .htaccess file.
To do so, open your .htaccess file and modify it like:
<Files /wp-login> order deny, allow allow from IP1 allow from IP2 deny from all </Files>
Here, IP1 and IP2 will be the IPs you allowed access to.
Using Captcha:
Use of captchas is common in websites and it is done to prevent bots from running automated scripts mainly used in brute force attack. It is very easy to install captcha in your website.
Simply install the Google invisible reCaptcha plugin and connect it to your Google account. Then go back to plugin’s settings page and select the places where you want the user to get the captcha. Note that this plugin also supports BuddyPress, WooCommerce and custom forms.
Two Factor Authentication:
For an extra line of defence, you can add a Two Factor Authentication for defending your account from brute force attack. Successful execution of a brute force attack on a 2FA protected sites is possible to a very less extent. You can implement a 2FA in your WordPress site in various ways but the easiest way is by using any of the top WordPress plugins for two factor authentication.
Cloudflare:
You can opt for Cloudflare that deals with CDN and caching. It also prevents your website by offering a protective shield against brute force attacks. You can define rules for login page access and also set Browser Integrity Check.
Other Practices:
- Ensure you create unique passwords for each account.
- Change your passwords frequently.
- Don’t share your credentials through insecure channels.
A system, either offline or online, is under an automated attack at any time which is a severe threat as it’s just a matter of time prior to the success. Implementing countermeasures can help in at least slowing down the attackers.
