Brute force attack
A brute force attack is a crude hacking method used to obtain unauthorized access to a target system. In a brute force attack the attacker mostly uses an automated software to generate a large number of username and password combinations. Brute force attacks may be used by criminals to crack encrypted data, or gain access to unauthorized or systems by security analysts to test an organization’s network security.
To simply put in layman terms – A brute force attack is nothing but trying to guess/generate username & secret password/pin combination with the help of a computer and use it against the target computer until right combination is hit. It a lot of time consuming task and is not definitely as easy as it is shown in the movies.
The attacker first will generate millions or even billions of username, password combinations and then will fed it to a program which will automatically hit the target system with each combination of those generated username/password until it hits the right combination.
Brute force is not only limited to guess user credentials but also used in reversing hashed messages. Hashing is a method of generating a completely different unique random text from the original message. So even if an attacker is able to access the hashed message he can’t understand or use it to login, because the hashing is one way – i.e we cannot reverse the hash to the original message.
So in order to find the original message from the hash, attackers use rainbow tables i.e pre-generated database of hashes of the username/password details generated earlier. When the hash ran against the rainbow table then there is a good chance of getting the actual message (If your username/password is a dictionary or very common word) .
Preventing brute force attacks from happening
Did you ever come across below screen while surfing the internet? that means system is asking you to verify yourself that you are not an automated software or bot trying to gain the access but a actual human being.
To prevent brute force attacks most of the companies use captcha image. A captcha is an image with random text as below. Once you enter your credentials it’ll expect you to read what’s on the captcha image and submit in the given input box. The target system first verifies that whether the captcha is correct, then only it’ll consider checking your credentials with authentication system, Otherwise it will ignore your request.
An automated bot cannot guess the captcha because it is computer generated random image on fly. i.e whenever you visit the page only then the target system will generate and show the captcha image.