Difference between revisions of "Brute force attack"
| (17 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | A ''' | + | A '''brute force attack''' also known as an '''exhaustive search''' is a method of cracking a password where every possible combination is tried. Because of this, brute force attacks are always successful, however, they usually take so much time, they're not worth using. |
A mechanical example of a brute force attack is trying every possible combination on a combination lock. This is a tedious process because, with even a simple combination lock where the dial has only 30 places and the lock uses three numbers, would require 75 hours to check every combination if we assume it takes 10 seconds per attempt. | A mechanical example of a brute force attack is trying every possible combination on a combination lock. This is a tedious process because, with even a simple combination lock where the dial has only 30 places and the lock uses three numbers, would require 75 hours to check every combination if we assume it takes 10 seconds per attempt. | ||
| Line 6: | Line 6: | ||
Brute force attacks have legitimate uses, like when you've forgotten your password. However, they're mostly used for nefarious purposes. | Brute force attacks have legitimate uses, like when you've forgotten your password. However, they're mostly used for nefarious purposes. | ||
| + | |||
| + | Brute force attacks can sometimes be sped up using a [[De Bruijn sequence]]. | ||
==Process== | ==Process== | ||
| Line 16: | Line 18: | ||
==Accelerating the Process== | ==Accelerating the Process== | ||
| − | In computer systems, passwords almost always allow the letters a-z, capital A-Z, numbers 0-9, and a host of special characters like !@#$%^&*. If we assume 100 possible characters, and the password is at most eight characters long, it means we will have to try 10,101,010,101,010,102 | + | In computer systems, passwords almost always allow the letters a-z, capital A-Z, numbers 0-9, and a host of special characters like !@#$%^&*. If we assume 100 possible characters, and the password is at most eight characters long, it means we will have to try 100^8 + 1 total passwords (or 10,101,010,101,010,102) to guarantee a match. If we assume our PC can try 1,000,000,000 passwords a second, it will take about 116 days to try every password, and for a nine-character-long password, it would take over 32 years! So, why do password crackers even bother with brute force attacks? Because there are several ways to accelerate the process. |
===Trying Common Characters First=== | ===Trying Common Characters First=== | ||
| − | Unless the system requires an assortment of characters like a capital letter, number, or symbol, most users don't bother with them. Because of this, a brute force system can be setup to first try passwords made up of just the 26 lowercase letters, and | + | Unless the system requires an assortment of characters like a capital letter, number, or symbol, most users don't bother with them. Because of this, a brute force system can be setup to first try passwords made up of just the 26 lowercase letters, and, if that fails, just numbers, then just capital letters. This is often enough to crack a large percentage of passwords. The remaining passwords will have to be brute forced with an attack which includes the more complex characters. Only 217,180,147,159 passwords can be made using just lowercase letters with a maximum length of 8 characters, which, assuming 1,000,000,000 attempts can be made each second, would only take about 4 minutes. For all passwords up to 9 characters, it would take 1.6 hours. |
| − | ===Faster Hardware=== | + | ===Faster and Distributed Hardware=== |
| − | 1,000,000,000 passwords-a-second may | + | 1,000,000,000 passwords-a-second may sound impressive, but that is what is expected for the average consumer. Government or university super computers have also been used for the task which are thousands of times faster. Even smaller groups or individuals can build hardware consisting of dozens of processors chained together, or just use a network of regular computers each running a chunk of the passwords to out pace any single CPU. |
| − | |||
| − | |||
| − | |||
==Defenses== | ==Defenses== | ||
There are several ways to protect against or slow down brute force attacks. | There are several ways to protect against or slow down brute force attacks. | ||
| − | ===Control the Log In=== | + | ===Control the Log-In=== |
| − | The simplest and most effective method is to control the log in process. If you can control how a person logs in, you can add a delay after a failed attempt, lock the account after too many failures, and report when the failed attempts | + | The simplest and most effective method is to control the log in process. If you can control how a person logs-in, you can add a delay after a failed attempt, lock the account after too many failures, and report when the failed attempts occur. These methods make brute force attacks entirely unfeasible because they can make the already slow process take billions of times longer. You will see these methods on website logins, ATMs, and OSes. However, this type of defense won't stop a cracker who can defeat your security, or acquire a copy of your data. For example, the [[Windows]] OS has a built-in delay on a failed password attempt, so brute forcing a password from the log-in screen is unfeasible, but if someone has brief access to your PC while it is logged in, they can make a copy of the password file, run the brute force attack on their own computer, and successfully determine your password. |
| − | It's possible to control the log in process even when it's not running on your PC. If a proprietary software package is built around encryption, the delay can be added to the program itself. Then, even if the file is copied, the cracker would still have to use the same program to decrypt it, which foils brute force attacks. In order to avoid the delay, the cracker would have to reverse engineer the program and recreate it without the delay, which is a tedious and complex process. | + | It's possible to control the log in process even when it's not running on your PC. If a proprietary software package is built around encryption, the delay can be added to the program itself. Then, even if the file is copied, the cracker would still have to use the same program to decrypt it, which foils brute force attacks. In order to avoid the delay, the cracker would have to reverse-engineer the program and recreate it without the delay, which is a tedious and complex process. |
===Longer Passwords=== | ===Longer Passwords=== | ||
| − | Since brute force attacks take exponentially longer to perform as the length of a password increases, each character you add to your password makes it | + | Since brute force attacks take exponentially longer to perform as the length of a password increases, each character you add to your password makes it exponentially more secure from this type of attack. |
===Complex Characters=== | ===Complex Characters=== | ||
| − | + | Since brute force attacks are often done with just lowercase letters or just numbers first, it helps to include in your password a variety of characters like upper and lower, numbers, and symbols. In particular, it helps to use a character not found on a keyboard, which many brute force attacks don't even bother checking. These are not possible in many older systems, but most new systems allow them. To enter such a character, hold ALT on your keyboard, then type a number on the keypad (the numbers on the side not the top) and release ALT. For example, ALT+236 gives the character "∞" which will be given far less priority in a brute force attack. | |
===Don't Verify Passwords=== | ===Don't Verify Passwords=== | ||
| − | + | Most forms of decryption report back if the user has entered a correct or incorrect password as a matter of convenience--they are able to do this because the hashed password is stored with the file--but this is not necessary. The safest form of encryption doesn't store the password at all, not even hashed. In such a case, if you use an incorrect password, the encrypted data will still go through the decryption process, but you will only get jumbled encrypted data for output. For each new password a cracker tries, analog verification, like a human looking at the output, is necessary to determine if the data decrypted successfully. A [[one-time pad]] is a good example of this. By not verifying the password, a brute force attack is effectively useless even against short passwords. | |
| + | |||
| + | The trade-off here is that most users don't want to see jumbled data when they enter an incorrect password, and certainly don't want to run the risk of overwriting an incorrectly decrypted file. | ||
==Program== | ==Program== | ||
| − | The following FreeBASIC program will perform a brute force attack on the specified password. | + | The following [[FreeBASIC]] program will perform a brute force attack on the specified password. |
' This program will run a brute force attack against the specified password string. | ' This program will run a brute force attack against the specified password string. | ||
| Line 60: | Line 61: | ||
sPassword = "!Xs~" ' The password to search for. | sPassword = "!Xs~" ' The password to search for. | ||
| − | iRefresh = 15577 ' Adjust for often you want the screen to refresh. Try to get about 1 refresh a second. | + | iRefresh = 15577 ' Adjust for how often you want the screen to refresh. Try to get about 1 refresh a second. |
iMaxPasswordLengthAttempt = 20 ' How many places to try before giving up. | iMaxPasswordLengthAttempt = 20 ' How many places to try before giving up. | ||
| Line 77: | Line 78: | ||
End If | End If | ||
| − | Locate 1, 1: Print " | + | Locate 1, 1: Print "Attempting: " |
Do | Do | ||
' Get the current password attempt. | ' Get the current password attempt. | ||
| Line 85: | Line 86: | ||
If iCount = iRefresh Then | If iCount = iRefresh Then | ||
iCount = 0 | iCount = 0 | ||
| − | Locate 1, | + | Locate 1, 13: Print sTry |
End If | End If | ||
| Line 117: | Line 118: | ||
End Function | End Function | ||
| − | ' Use | + | ' Use recursion to roll the password forward. |
Sub GetNextPassword(iPlace As Integer) | Sub GetNextPassword(iPlace As Integer) | ||
' Increment the current place holder. | ' Increment the current place holder. | ||
Latest revision as of 16:00, 22 October 2021
A brute force attack also known as an exhaustive search is a method of cracking a password where every possible combination is tried. Because of this, brute force attacks are always successful, however, they usually take so much time, they're not worth using.
A mechanical example of a brute force attack is trying every possible combination on a combination lock. This is a tedious process because, with even a simple combination lock where the dial has only 30 places and the lock uses three numbers, would require 75 hours to check every combination if we assume it takes 10 seconds per attempt.
A similar system is used with password cracking on computers, where you first try password "a," then "b," and on to "z," then "aa," "ab," and so on. The number of passwords you need to try grows exponentially the longer the password gets.
Brute force attacks have legitimate uses, like when you've forgotten your password. However, they're mostly used for nefarious purposes.
Brute force attacks can sometimes be sped up using a De Bruijn sequence.
Contents
Process
At its most basic level, a brute force attack is a three step process:
- Generate the next password.
- Try the password.
- If the password was not successful, go to step 1.
Step 2 is the most difficult step because many systems purposely make it difficult to automate trying a password to prevent brute force attacks.
Accelerating the Process
In computer systems, passwords almost always allow the letters a-z, capital A-Z, numbers 0-9, and a host of special characters like !@#$%^&*. If we assume 100 possible characters, and the password is at most eight characters long, it means we will have to try 100^8 + 1 total passwords (or 10,101,010,101,010,102) to guarantee a match. If we assume our PC can try 1,000,000,000 passwords a second, it will take about 116 days to try every password, and for a nine-character-long password, it would take over 32 years! So, why do password crackers even bother with brute force attacks? Because there are several ways to accelerate the process.
Trying Common Characters First
Unless the system requires an assortment of characters like a capital letter, number, or symbol, most users don't bother with them. Because of this, a brute force system can be setup to first try passwords made up of just the 26 lowercase letters, and, if that fails, just numbers, then just capital letters. This is often enough to crack a large percentage of passwords. The remaining passwords will have to be brute forced with an attack which includes the more complex characters. Only 217,180,147,159 passwords can be made using just lowercase letters with a maximum length of 8 characters, which, assuming 1,000,000,000 attempts can be made each second, would only take about 4 minutes. For all passwords up to 9 characters, it would take 1.6 hours.
Faster and Distributed Hardware
1,000,000,000 passwords-a-second may sound impressive, but that is what is expected for the average consumer. Government or university super computers have also been used for the task which are thousands of times faster. Even smaller groups or individuals can build hardware consisting of dozens of processors chained together, or just use a network of regular computers each running a chunk of the passwords to out pace any single CPU.
Defenses
There are several ways to protect against or slow down brute force attacks.
Control the Log-In
The simplest and most effective method is to control the log in process. If you can control how a person logs-in, you can add a delay after a failed attempt, lock the account after too many failures, and report when the failed attempts occur. These methods make brute force attacks entirely unfeasible because they can make the already slow process take billions of times longer. You will see these methods on website logins, ATMs, and OSes. However, this type of defense won't stop a cracker who can defeat your security, or acquire a copy of your data. For example, the Windows OS has a built-in delay on a failed password attempt, so brute forcing a password from the log-in screen is unfeasible, but if someone has brief access to your PC while it is logged in, they can make a copy of the password file, run the brute force attack on their own computer, and successfully determine your password.
It's possible to control the log in process even when it's not running on your PC. If a proprietary software package is built around encryption, the delay can be added to the program itself. Then, even if the file is copied, the cracker would still have to use the same program to decrypt it, which foils brute force attacks. In order to avoid the delay, the cracker would have to reverse-engineer the program and recreate it without the delay, which is a tedious and complex process.
Longer Passwords
Since brute force attacks take exponentially longer to perform as the length of a password increases, each character you add to your password makes it exponentially more secure from this type of attack.
Complex Characters
Since brute force attacks are often done with just lowercase letters or just numbers first, it helps to include in your password a variety of characters like upper and lower, numbers, and symbols. In particular, it helps to use a character not found on a keyboard, which many brute force attacks don't even bother checking. These are not possible in many older systems, but most new systems allow them. To enter such a character, hold ALT on your keyboard, then type a number on the keypad (the numbers on the side not the top) and release ALT. For example, ALT+236 gives the character "∞" which will be given far less priority in a brute force attack.
Don't Verify Passwords
Most forms of decryption report back if the user has entered a correct or incorrect password as a matter of convenience--they are able to do this because the hashed password is stored with the file--but this is not necessary. The safest form of encryption doesn't store the password at all, not even hashed. In such a case, if you use an incorrect password, the encrypted data will still go through the decryption process, but you will only get jumbled encrypted data for output. For each new password a cracker tries, analog verification, like a human looking at the output, is necessary to determine if the data decrypted successfully. A one-time pad is a good example of this. By not verifying the password, a brute force attack is effectively useless even against short passwords.
The trade-off here is that most users don't want to see jumbled data when they enter an incorrect password, and certainly don't want to run the risk of overwriting an incorrectly decrypted file.
Program
The following FreeBASIC program will perform a brute force attack on the specified password.
' This program will run a brute force attack against the specified password string.
' It will try all printable ASCII characters (32-126), but can be easily modified to use a full 256 set.
' This code is for demonstration purposes only, it has not been optimized, and runs extremely slow.
' © Copyright 2017, Dean Tersigni.
Declare Function GetAttempt As String
Declare Sub GetNextPassword(iPlace As Integer)
Dim As String sPassword, sTry
Dim As Integer iCount, iRefresh
Dim As Integer iMaxPasswordLengthAttempt
sPassword = "!Xs~" ' The password to search for.
iRefresh = 15577 ' Adjust for how often you want the screen to refresh. Try to get about 1 refresh a second.
iMaxPasswordLengthAttempt = 20 ' How many places to try before giving up.
Dim Shared As Integer iAttempt(1 To iMaxPasswordLengthAttempt)
Dim Shared As Integer iAttemptLength = 1
Dim Shared dStart As Double
dStart = Timer
' Trap for an empty password.
If sPassword = "" Then
Print "Password is blank, instant match!"
Sleep: End
Else
iAttempt(1) = 32
End If
Locate 1, 1: Print "Attempting: "
Do
' Get the current password attempt.
sTry = GetAttempt()
iCount = iCount + 1
If iCount = iRefresh Then
iCount = 0
Locate 1, 13: Print sTry
End If
' Try the current password attempt.
If sTry = sPassword Then
CLS
Print "Found!"
Print "Password is '" + sTry + "'"
Print "After"; (Timer - dStart); " second(s)."
Sleep: End
End If
' Get the next password.
GetNextPassword(iAttemptLength)
Loop Until Inkey$ = Chr(27)
' Convert the array into a simple string for comparison purposes.
Function GetAttempt As String
Dim As Integer I
Dim As String sAttempt
For I = 1 To UBound(iAttempt)
If iAttempt(I) = 0 Then
Exit For
End If
sAttempt = sAttempt + Chr(iAttempt(I))
Next I
Return sAttempt
End Function
' Use recursion to roll the password forward.
Sub GetNextPassword(iPlace As Integer)
' Increment the current place holder.
iAttempt(iPlace) = iAttempt(iPlace) + 1
' Check to see if we need to roll.
If iAttempt(iPlace) = 127 Then
iAttempt(iPlace) = 32
If iPlace = 1 Then
' We've rolled the first place holder, increment the length of the password attempt.
iAttemptLength = iAttemptLength + 1
If iAttemptLength > UBound(iAttempt) Then
' We've reached the end.
CLS
Print "Attemped every password, still no match."
Print "After "; (Timer - dStart); " second(s)."
Sleep: End
End If
iAttempt(iAttemptLength) = 32
Else
' Set the current place to the beginning, and increment the previous
GetNextPassword(iPlace - 1)
End If
End If
End Sub
Links
- en.wikipedia.org/wiki/Brute-force_attack - Wikipedia.
