Cyber-attacks are very common these days. Everyone using the internet is under threat of privacy breach. There are different types of cybercrimes. One of the most common types is brute force attack. This method consists of repetitive tries to access the website with different password sequences. There are certain things we can do to prevent any miss happening. Web designers are also looking for a permanent solution to this problem.
In this article, we will address the following topics:
- What is a brute force attack?
- How can it happen?
- What are hackers after?
- How to prevent a brute force attack?
What is a brute force attack?
A brute force attack is a simple method to breach the security of a server, website, or anything that is using password protection. In this method, a hacker tries different sequences of a username and password again and again until he gets the desired result. These repeated attempts are just like an army attack on a fortress. It looks like an easy job, but it is not.
As we know, every account ID has a password for protection. Hackers just need to guess the password with these repeated attacks. For example, an account has a 2-digit password. For guessing the password, a hacker needs to try different combinations from digits 0-9. He will need to try 100 different combinations to guess the password. You can understand this by remembering the movie, Mr. Bean’s Holiday. In that movie, Mr. Bean guessed the last two digits of the lost kid’s father’s phone number.
But, in reality, no account has a 2-digit password. Even a mobile or ATM card pin consists of four digits. Normally, the standard password length is 8 digits, and it is the minimum. You can also add alphabets and special characters in the password that makes it more difficult to guess. You can even use alphabets with lower and upper case letters. For example, a password consists of 8 characters with alphabets and digits mixed. There are 26 English alphabets, and if you consider the cases it becomes 52. Add 10 digits as well, the total number becomes 62. We are not yet considering the special characters.
For breaching an 8-digit password, hackers need to try 218 trillion different combinations. It looks like a tough and impossible task. If they try one combination per second, they will require 7 million years to try each combination. That looks like an impossible task. You are obviously not going to live that long.
How can it happen?
These hackers use computer programming to try that many combinations. It will require very simple programming to try multiple combinations in a second. You just need to write some simple lines of code. These are basic things for a computer programmer. For example, you have a program that checks 1000 combinations per second. Time to crack an 8-digit password minimized to 7000 years, it is still impossible.
The next option is a supercomputer. It has the capability to try 1×109 attempts in a second. You can try all 218 trillion combinations in just 22 seconds. That is how hackers can crack these passwords. These types of computers are not available to the common man. Hackers are professionals in their own field, and they can own these computers.
Remember that we are discussing the total number of possible combinations. What if a hacker succeeds in the 1st or 10th combination? That is why it is important to use an extra layer of security to secure yourself on the web.
What are hackers after?
By using the brute force attack, a hacker wants to access any website or an account to perform illegal activities. They can also use the hacked website for other types of attacks. Another possibility is to gain access to a website for a long-term plan. In this type of attack, they infect the particular website with malicious scripts and do not touch anything else. If they are hacking a bank account, it means they are after the money. That is why it is a good practice to scan your website regularly.
How to prevent a brute force attack?
There are certain steps you can take to prevent these attacks. We will discuss some of these preventions in the following paragraph.
- Lengthy Password
- Complex Password
- Put a Limit on Login Attempts
- Modification of .htaccess file
- Use Captcha
- Enable Two Factor Authentication
- Install an SSL Certificate
The first thing you can do is to select a lengthy password. The shortest standard length is 8 digits or characters. Many websites and forums are emphasizing lengthy passwords. The longer your password will be the longer it takes to crack.
Another thing you can do is to choose a complex password. It is not a good practice to choose a password like ‘iloveusa’ or ‘password123’. A complex password has a combination of upper and lower case alphabets with digits and special characters. This is why a complex password is required for certain websites. A complex password delays the cracking process.
Put a limit on the Login attempts
The simplest way to make it difficult to crack your password is to limit the login attempts. it is not only the simplest but powerful action to secure your website from a brute force attack. If someone tries to access your website with multiple attempts, your server or website will block that IP for some period of time.
Modification of .htaccess file
You can add some rules in the .htaccess file. It will make the cracking process difficult. You can assign some specific IP to access your website or account. You can take help from the following image:
- <Files /wp-login>
- order deny,allow
- allow from IP1
- allow from IP2
- deny from all
According to this, you have only allowed IP1 and IP2.
Hackers use bots to breach the privacy of a website. You can use Captcha to get rid of this issue. Bots are the main element of a brute force attack. Captcha verifies you before logging in if you are a human or a bot.
Enable Two Factor Authentication
The best way to prevent a brute force attack is using two-factor authentication. It reduces the chances of any breach by a brute force attack. There are many ways of enabling two-factor authentication.
Installing an SSL certificate
Another prevention involves the installation of an SSL certificate. As we know an DV SSL certificate encrypts all the communication between a client and the server. So there is no way a hacker can read your messages or any other detail. If somehow, the hacker has managed to access the data, he will require the decryption key to decrypt that data.