Difference between revisions of "Brute force attack"
Jump to navigation
Jump to search
m |
m |
||
(4 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
==Countermeasures== | ==Countermeasures== | ||
There are three basic methods of thwarting brute-force attacks. | |||
;Complex Codes | |||
:One solution is to simply increase the length and complexity of pass codes. To succeed, the attacking program must be able to attempt all possible pass codes in a reasonable amount of time. For example, a four-digit, numeric pass code only has 10,000 possible combinations; if a brute force attack program can try 1,000 combinations per second, it will gain access within ten seconds. An eight-digit pass code has 100 million possible combinations; it would take the same attacking program nearly 28 hours to try them all. By increasing the length and complexity of pass codes, it is possible to make trying every combination impractical for '''any''' computer. The disadvantage of this defense is that it requires legitimate users to remember more complicated passwords. | |||
;Limited Retries | |||
:Another solution to brute force attacks is to disallow further attempts to enter a password after a small number of failures. For instance, an access point may allow only three attempts to login using a particular user account before locking the account; a brute force attack would in all likelihood fail thousands of times before finding the correct code, so it would not be able to gain access. The disadvantage of this defense is that it can lock out legitimate users who make mistakes entering their passwords. | |||
;Retry Delay | |||
:Yet another solution is to force an arbitrary time delay between authentication attempts. If the target system only allows one login attempt per minute, even a simple passcode can take an unfeasibly long time to crack. The disadvantage of this defense is that it causes delays for legitimate users who make mistakes entering their passwords. | |||
Most modern computer networks use some combination of the countermeasures listed above to thwart brute force attacks. | |||
==Examples== | |||
A real-world example of a brute force attack is an auto-dialer, a device that turns the wheel of a combination lock on a safe to try every possible combination until the safe opens. | |||
==See Also== | ==See Also== |
Latest revision as of 21:21, 10 January 2022
A brute force attack is a computer cracking technique in which the attacker uses an automated program to try every possible combination for a password or other security code in order to gain access. In theory, such an attack will always succeed if given enough time.
Countermeasures
There are three basic methods of thwarting brute-force attacks.
- Complex Codes
- One solution is to simply increase the length and complexity of pass codes. To succeed, the attacking program must be able to attempt all possible pass codes in a reasonable amount of time. For example, a four-digit, numeric pass code only has 10,000 possible combinations; if a brute force attack program can try 1,000 combinations per second, it will gain access within ten seconds. An eight-digit pass code has 100 million possible combinations; it would take the same attacking program nearly 28 hours to try them all. By increasing the length and complexity of pass codes, it is possible to make trying every combination impractical for any computer. The disadvantage of this defense is that it requires legitimate users to remember more complicated passwords.
- Limited Retries
- Another solution to brute force attacks is to disallow further attempts to enter a password after a small number of failures. For instance, an access point may allow only three attempts to login using a particular user account before locking the account; a brute force attack would in all likelihood fail thousands of times before finding the correct code, so it would not be able to gain access. The disadvantage of this defense is that it can lock out legitimate users who make mistakes entering their passwords.
- Retry Delay
- Yet another solution is to force an arbitrary time delay between authentication attempts. If the target system only allows one login attempt per minute, even a simple passcode can take an unfeasibly long time to crack. The disadvantage of this defense is that it causes delays for legitimate users who make mistakes entering their passwords.
Most modern computer networks use some combination of the countermeasures listed above to thwart brute force attacks.
Examples
A real-world example of a brute force attack is an auto-dialer, a device that turns the wheel of a combination lock on a safe to try every possible combination until the safe opens.