When the securing of infrastructures and accesses are concerned, we will never underline enough the interest of using strong passwords. The logic of this advice becomes obvious once one knows the existence of this bruteforce attack threat, and understands its functioning.

The goal is always the same: guessing the right password by multiplying attempts.

For a faster result, the method is obviously automatized, with tools like THC Hydra or, for the case of identifiers theft on iCloud that we saw recently, like iDict.

It is possible to bruteforce many types of authentication:

  • Wifi
  • Userr accounts on websites
  • Login / password of mailboxes in POP3/IMAP
  • Shell Access or FTP/SFTP
  • VPN Access
  • etc…

Dictionary attack

Bruteforce dictionary attackThe principal method remains the dictionary approach.

In practice, it is very simple to acquire a dictionary of potential passwords. It is actually a document listing common words, or for instance names, on which a pirate can base his attack. The orthographic correction dictionary of OS like Linux is a good base. There also are many dictionaries available online:

A good dictionary is targeted for a country and a language, and potentially for a user category. Many attackers have dictionaries targeted for a certain population, which includes the most common words, children names, pet names, combination of dates of birth, credit card numbers, phone numbers, license plate number, etc…

Incidentally, some tools, like those we evoked earlier, will conduct hybrid attacks by combining the possibilities, for instance the name Kevin and a date of birth.

XKCD perfectly summarized the problem in this little comic: http://xkcd.com/936/

Limiting attempts

If the attacked system does not decree a limitation of the number of authentication attempts, the bruteforce attack can take a lot of time, but it has significant chances to come to a successful conclusion. A pertinent defense consists in allowing only a certain number of failed attempts before deactivating the account, or to increase the minimum time between two attempts.

Though simple, this securing approach enables to considerably slow down, or even stop the attacker. The potential length of the attack will often discourage him and incite him to change targets.

CerberHost’s answers to bruteforce attacks

One of the tools used by CerberHost to protect websites against these attacks is “Fail2ban”, which is an opensource component that will limit the number of attempts. Other mechanisms report to our firewall, NAXSI. The latter includes a filtration by IP reputation; thus, IPs making too many failed attempts will be blocked.

It is also advised to set up a limitation of the number of tries directly within the framework or used tool.

Discover CerberHost

video de présentation de CerberHost

CerberHost protects your website against all Top 10 OWASP attacks, and much more.

To discover CerberHost in pictures, watch its presentation video HERE.

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.