A password brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.

There are several levels of brute force attacks starting with Brute Force and Password Spraying.  In the latter,  the attacker circumvents common countermeasures (e.g., account lock out) by “spraying” the same password across many accounts before trying another password. These are some of the least sophisticated ways in which a hacker tries to log into a victim’s account using passwords that are commonly used. Most websites have built in security that can detect these types of attacks and stop them.

Below is a diagram of brute force attack levels from less sophisticated to most sophisticated. 

Account Takeover Diagram

Credential Stuffing:  Hackers use personal information from a user they have stolen or purchased personal information off the Dark Web.  

The Dark Web is a place that can be used to sell personal information that has been hacked/stolen from other companies.  All those data breaches you read about, that personal information is sold on the Dark Web.

What is your personal information worth on the Dark Web?  Below is a chart of the cost per person on the Dark Web of your personal information:

Graphical user interface, application

Description automatically generated

Once the hacker has your personal information, they will use it to gain access to other sites.  High targets are common financial, investing and banking sites and if they know the user home address, they will try local banks.  

Since most people unfortunately reuse passwords, this method is much more efficient than trying to guess every combination of characters. Do you use one or two passwords for all your logins?

Phishing:  Everyone probably knows this one the best because they receive them every day in an email.  Fake emails from Apple, Amazon, UPS, etc. claiming to be the brand and requesting personal information from you or login credentials.  You should refrain from clicking on links in an email unless you were expecting it.  If you are concerned about what the email has in it, then go directly to that site by bring up the web browser and typing in the URL.  IE:  ups.com, amazon.com, office.com, etc.  NOTE:  Email is not the only way to receive Phishing, hackers also use texting and calling to steal personal information from you.

Next Gen Witchcraft:  This is the unknown in the next level of the hacker’s arsenal.  Phishing use to be easy to spot, missed spelled words, poor grammar, etc.  The old days of helping the Nigerian Prince are long gone.  Now the phishing emails are very hard to spot because the hacker has built layers of complexity into their phishing scam.   Think before you Click.

How do you protect yourself? There is no 100% sure fix but there are ways to make it more difficult on the hacker.

Multifactor Authentication (MFA) is a combo punch to the hacker.  Strong passwords with MFA turned ON is a second layer of security.  When you log into a website with your strong password,  then MFA is invoked to confirm more information before allowing you into the site.  The confirmation is often sent to your phone alerting you to any unauthorized login attempts. 

Another way to avoid reusing the same password and using stronger passwords is to use a password management system.  Remember one password to log into the password management system that holds your credentials for other sites.  Some examples are LastPass and Dashlane.  These services have multiple layers of security to protect your personal information.

Always Think Before You Click!

David H. Coull
Senior Systems Administrator
dcoull@sendero.com