We tend to imagine hackers as brilliant masterminds playing three-dimensional chess, but the reality is, some of them still come wielding old-school digital sledgehammers instead of brilliantly crafted, next-level hacking tools. Although it is true that some of today's most audacious hacks involve highly sophisticated techniques – the SolarWinds hack certainly did – brute force attacks are still incredibly common. In fact, they've been making a comeback since working from home became so commonplace. Here's what a brute force attack is, why cyber criminals still use this blunt instrument, and how you can protect your business against it.
What is a brute force attack?
In a brute force attack, a hacker uses a simple automated tool to try and guess a username and password that will grant access to a company's website or app (or, in some cases, an encrypted file). This tool typically pelts the target with endless combinations of usernames and passwords until it lands on one that works. Once the hacker has access to that system, they can use that foothold to start poking around in the victim's network, find juicy resources to exploit, or plant some dangerous malware. Although this method takes time and computing resources, it can and does work – which is why it's still around today.
There are a few different versions of the brute force attack. A dictionary attack literally throws the book at you, deploying every word in the dictionary along with some numbers and characters in an attempt to guess a password that will work for a specific account. A hybrid brute force attack is a blend of the dictionary attack and a simple brute force attack. In this scenario, a hacker already knows a username and carries out a dictionary attack along with standard brute force techniques to figure out the password. Then there's a reverse brute force attack, in which a hacker either already knows a password or uses a very common password and then systematically pairs it against multiple usernames to see if there's a match.
Lastly, there's credential stuffing, in which an attacker already has access to an account and then tries to use the same username and password to get into other systems. Sadly, this approach is more effective than it should be because people have a tendency to re-use the same password for multiple websites and apps. Once a hacker has managed to compromise one of those accounts – or simply buy the credentials for them on the dark web if they've already been caught up in a data breach – it's a simple matter to just fire up a simple automated tool and try using that same login information to gain access to other systems and services.
What's the goal of a brute force attack?
Attackers can use brute force attacks to achieve a variety of goals. If a hacker is experienced, they will probably try to move laterally within the network to see what's available and worth exploring, performing a silent inventory of resources to potentially exploit when the moment is right. If they're newbies or just feeling cocky, they may simply want to mess around with the victim's website or app to get attention or impress other novice hackers.
A bad actor may want to steal information that they can use to commit fraud or simply sell on the dark web for a tidy sum. They could also pillage business data and threaten to publish it in a data breach, demanding a hefty ransom for its return. The attacker could just install some nasty malware if they want. Or, they may have even darker aims – such as using the compromised system to stage larger and more damaging attacks on the target or even another organization.
Unless and until they're detected, the hacker may well have the run of the place. Instead of racing to spot them in time and then deal with the damage they've done, it's better to keep them from finding a way in.
How can a password manager help?
Your business can reduce its chances of falling victim to a brute force attack. An effective business password policy is an essential first line of defense for just this sort of incursion. A password manager can also be particularly helpful in warding off one of these crude but common assaults. Long and complex passwords take a lot longer to crack with a brute force attack, but keeping track of them can be a chore. A password manager stores your passwords in an encrypted vault, keeping them safely shielded from any bad actors who might want to find a way into your company's systems. If the password manager notices that one of your passwords is being used for multiple accounts, it will let you know right away so you can create unique and secure passwords for each of the affected accounts. Creating those passwords is easier, too, with the password manager's built-in password generator tool. Dark web monitoring automatically alerts you when one of your accounts has appeared on the dark web, so you can change the password for that account before a hacker comes knocking.
You can also use a password manager's multi-factor authentication (MFA) feature to set up an additional form of authentication beyond the standard username and password combination. For example, you can configure it to send you a one-time code via text message or email, or you can use an authenticator app to generate the code directly from your smartphone. Or, if you want to get really sophisticated, you can use biometrics like fingerprint recognition to lock your account down even more effectively. Since it's harder for a bad actor to get a hold of these additional credentials, they'll have a more difficult time executing a successful brute force attack. What's more, since MFA tools typically send out a notification when someone (hopefully you) tries to log into one of your accounts, you'll have a timely heads up if something fishy is going on.
Protect your business from brute force attacks
Brute force attacks aren't the fanciest tool in a hacker's toolbox, but they still work. Now that remote work is so popular, opportunistic cyber criminals are using brute force attacks to kick the tires and hopefully land a big payday. These attacks often zero in on passwords, and they're more likely to succeed if you don't have strong, unique passwords in place on each of your accounts. A password manager can help you set and securely store strong passwords for each account, making it much less likely that a brute force attack on your business will succeed.
Learn how LastPass Business helps protect your business from a brute force attack. 
