Brute force attacks crack data by trying every possible combination, like a thief breaking into a safe by trying all the numbers on the lock.
After reading this article you will be able to:
Related Content
What is a bot?
What is bot management?
Content scraping
What is credential stuffing?
What is robots.txt?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
A brute force attack is a trial-and-error method used to decode sensitive data. The most common applications for brute force attacks are cracking passwords and cracking encryption keys (keep reading to learn more about encryption keys). Other common targets for brute force attacks are API keys and SSH logins. Brute force password attacks are often carried out by scripts or bots that target a website's login page.
What differentiates brute force attacks from other cracking methods is that brute force attacks don’t employ an intellectual strategy; they simply try using different combinations of characters until the correct combination is found. This is kind of like a thief trying to break into a combo safe by attempting every possible combination of numbers until the safe opens.
The biggest advantages of brute force attacks is that they are relatively simple to perform and, given enough time and the lack of a mitigation strategy for the target, they always work. Every password-based system and encryption key out there can be cracked using a brute force attack. In fact, the amount of time it takes to brute force into a system is a useful metric for gauging that system’s level of security.
On the other hand, brute force attacks are very slow, as they may have to run through every possible combination of characters before achieving their goal. This sluggishness is compounded as the number of characters in the target string increases (a string is just a combination of characters). For example, a four-character password takes significantly longer to brute force than a three-character password, and a five-character password takes significantly longer than a four-character password. Once character count is beyond a certain point, brute forcing a properly randomized password becomes unrealistic.
If the target string is sufficiently long, then it could take a brute force attacker days, months, or even years to decode a properly randomized password. As a result of the current trend of requiring longer passwords and encryption keys, brute force attacks are quite a bit more difficult. When good passwords and encryption are utilized, attackers typically try other methods of code breaking such as social engineering or on-path attacks.
Developers who manage authorization systems can take measures such as locking out IP addresses that have generated too many failed logins, and incorporating a delay in their password-checking software. A delay of even a few seconds can greatly weaken the effectiveness of a brute force attack.
Users of web services can decrease their vulnerability to brute force attacks by choosing longer, more complex passwords. It is also recommended to enable two-factor authentication and use unique passwords for each service. If an attacker is able to brute force a user’s password for one service, that attacker may try recycling the same login and password on many other popular services. This is known as credential stuffing.
Users should also avoid entering passwords or personal information such as credit card numbers or banking information with any web service that doesn’t protect their data with strong encryption keys.
Encryption keys are random strings of bits generated to scramble and unscramble data. Once the data has been scrambled, it appears as a string of random, jumbled characters until being unscrambled with the correct encryption key. Just like passwords, encryption keys can be cracked using brute force attacks, but today there are encryption keys in use that would take so long to crack using modern computers that they are considered as good as unbreakable.
A longer encryption key is exponentially more secure than a shorter one. For example, in a 128-bit encryption key, there are 2128 possible combinations a brute force attacker would have to try. For 256-bit encryption, an attacker would have to try 2256 different combinations, which would require 2128 times more computational power to crack than a 128-bit key! (2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible combinations).
To give you a sense of what these numbers mean, a powerful computer that could check trillions of combinations per second would still require well over a sexdecillion years to crack a 256-bit encryption key (a sexdecillion is a one followed by 96 zeroes).
As high-bit encryption keys are practically immune to current brute force attacks, it is recommended that all web services that collect user information encrypt their data and communications using 256-bit encryption keys. Cloudflare uses best-in-class TLS encryption to prevent brute force attacks, and has worked on future-proofing against quantum computing.