What is a Brute Force Attack?
A ‘brute force attack’ or ‘brute forcing’, also known as ‘credential cracking’, is a method of using bots to identify or “crack” valid log-in credentials to a website or application by sequentially trying out many different values for usernames and passwords with the aim of eventually guessing the correct combination. Brute forcing is usually carried out for ‘Account Takeover’ (ATO) for financial gain or data theft. There is a thriving underground industry that buys and sells log-in credentials from cybercriminals or from lists of leaked or breached account credentials. While brute force or cracking attacks are based on guesses, ‘credential stuffing’ attacks do not involve any guesswork, but rather on sequentially trying to enter lists of stolen or breached username and password pairs to validate them.
Types of Brute Force Attacks
Apart from random guesses, brute force attacks can also use words from dictionaries (which involves entering a large numbers of words and variations in spelling), along with other guessing techniques that may attempt variations of the victim’s name or other information obtained by the hackers from social media posts, publicly available data, or even ‘phishing’ techniques that try to elicit private information from the victim through nefarious ways such as pretending to be from a business that the victim is a customer of, or even impersonating government employees.