A Primer To The Nature Of Brute-Force Attacks
Brute-force attack cases are considered to be “password list attacks” using a list of leaked IDs and passwords at another site. There are many cases where there is a problem with user’s password management, and there are cases where there is no direct responsibility on the side of the attacked Website, which is why the password-targeted attack including the password list attack is established It is thought that there are many. However, most users are not interested in password management. The reason for adopting password authentication is the cost reason, that is, the economic situation of the website or system owner.
Brute force attack, as the name implies, is a way to try your password in brute-force. One good example is the use of just 4-characters for a password. There are 26 ^ 4 = 456, 976 ways of password patterns with 4 characters. If you could try 10 passwords per second, you could end up in about 13 hours to try all this pattern. Since this is a real threat, hence websites that adhere with strict password complexity enforcement do not allow passwords to be less than 8-characters long. 8-character alphanumeric (case-sensitive) password, there are (26 + 26 + 10) ^ 8. It will take about 690,000 years to break such a password, it will be broken faster with the use of a botnet-based brute-force attempt, but the password is strong enough for any regular Joe to depend on.
Since brute force attacks are so inefficient and the success probability is low, a method has been devised in which “words that a user tends to use as passwords” are registered as a dictionary and a password attempt is made. This is called the dictionary attack. The size of the “dictionary” may vary, but it is estimated to be tens to thousands. In the case of penetration inspection etc. Use several thousands of “big dictionaries”, but in the actual attack, it seems that it is more efficient to try a little with one ID and try with the next ID if it is not good.
Account lock is available as a measure against a dictionary attack. If the password fails several to ten times consecutively, the account is locked for a while (about 30 minutes to one hour). Account Locking is a valid defense, but it does not protect you even if you have a very bad password, such as “password” or “123456”. Usually, dictionary attacks are tried from the most frequently used password. If the user has set a very weak password, the password attempt is likely to succeed before the lock is applied.
A Password list attack is a type of exploit where a list of usernames and passwords obtained from a hacked site other than the target of the attack is tried on another site. Given that a certain percentage of users use a single password, it seems that they can effectively break passwords.
Why certain sites are vulnerable to password list attacks?
- The target site has high-value information and a means to earn financial benefits
- No target vulnerability such as SQL injection is found on the target site
- There is a “vulnerable site“ where the attack target and the user overlap, and a list of ID and password can be obtained from there
- Users with the same ID and password exist with a certain probability on both sites
How to minimize the possibility of becoming a target of a brute-force attack?
1. Two-step authentication (two-factor authentication)
Two-step authentication adds another means of authentication in addition to ID and password authentication. Even if the password is leaked, unauthorized access is prevented by asking for the second authentication. In the past, there have been banks that support online banking, etc that only supported passwords, but 2FA authentication was soon introduced.
2. Risk-based certification
Two-step authentication is a powerful authentication method that is effective not only for password list attacks, but also for attacks against other passwords such as phishing, but there is a problem that the burden on the user is slightly larger. For this reason, there is a risk-based certification as a method that loses the two-step certification a little. This is usually password-only authentication, but when trying to authenticate under unusual circumstances, it requires information other than the password.
3. Monitoring of login process It is reported that many reported incidents have been noticed abnormally because the server load has increased rapidly due to a password attack. Therefore, real-time monitoring of the following may allow us to detect attacks early and minimize damage.
- Number of password attempts
- Number of incorrect passwords
- Password error rate
However, there is also an impression that the attacking party worked hard for the increase in the load, and there is also the possibility that it will not notice the attack when “slowly attacking“. It would be better to monitor the login process, though it is not the key to attack detection. Enough knowledge by the end-users is required in order to be more resilient to brute-force attacks.