Brute Force Attacks

Brute force attacks refer to trying out every possible combination of characters, hashing them with the right one-way function, and comparing it with the hashed password until you find the right one.

The benefit of a brute force attack is that the password will eventually be found, even if it is just a bunch of random characters. In contrast, dictionary attacks and rainbow table attacks could never find such passwords because they won’t be in any word list. It’s pretty easy and a straightforward attack, which is also why we will cover it as our first method. You only need a password cracker to perform it; you won’t need additional data, like a word list or rainbow table.

Theoretically, it is possible to crack every password with brute force by applying every hashing algorithm – if you have enough time. Practically, however, that is rarely the case. The downsides of brute force attacks are that these can take a very long time to perform and you will need a lot of hardware resources. After all, you will be trying every possible combination.

Techniques to Optimize Brute Force Attacks

You can reduce the time needed to break a password if you have some information about the password structure. If there is no information about the password, you will have to try every possible combination of characters and lengths. This means far more combinations and higher entropy.

First, you would have to try all combinations consisting of lowercase letters, then all consisting of uppercase letters, then all combinations consisting of numbers. You must combine each combination with each. Plus, don’t forget about special symbols and characters. This will grow possible combinations immensely.

Websites and companies usually have a password policy or requirements. For instance, passwords can only consist of lowercase letters, uppercase letters, and numbers, and they must have a length of 8 to 32 characters. These parameters can reduce the time needed to crack a password because you’ll only need to try combinations within the requirements. You don’t need to try combinations with special characters or combinations smaller than eight characters or bigger than 32 characters since they’re not a requirement or even allowed.

Humans are lazy and often just try to use the minimum requirements. So, you could even try only eight- to nine-character combinations with one uppercase letter, one number, and six to seven lowercase letters. This could even lead to a pattern. If we can find the pattern, breaking the password will become much easier. For example, credit-card PIN patterns are typically four to six characters long and only consist of numbers. Remember, our goal is to use the information to lower the entropy from our perspective and reduce the number of possible combinations for a password.

An Example of Password Entropy

In this example, the password we’re trying to crack is P862. If we have no information about the password, we must try a lot of combinations. Our entropy will be around 25 bits, and we will have to try about 60 million combinations just for all possible one-, two-, three-, and four-character passwords. But if we’re given some information (such as that it has one uppercase letter and three numbers), we can reduce the number of possible combinations to under a thousand. That will give us an entropy of 10 bits.

To show you some more numbers, in the previous example, we could reduce to entropy to less than half of the original entropy by using information about the password structure. This allows us to break the password in roughly half the time, depending on the algorithm.

To summarize, brute force attacks are simple and easy to use, and they can crack any password and algorithm, but they can also need time and resources. We also saw that we can reduce the time to crack the password if we have some information about its structure. In the next lesson, we will look at the tools and commands we will be using to perform our attacks.

Investigate and share: A brute force attack tries every possible combination until the correct combination is found. What do you think some disadvantages of this approach could be?