Brute force attacks are one of the oldest and simplest methods for cracking passwords – whereby an attacker simply submits as many passwords as possible, relying on the sheer number of guesses to eventually find the correct one. This can be a lengthy process, but is significantly more effective and successful where shorter, common passwords are used.
Enforcing password complexity is therefore the most effective defence against brute force attacks. Since password length increases the time taken for a brute force attack to succeed exponentially, rather than linearly, it is generally the most important factor in determining how secure a password is. As most brute force algorithms are not entirely random, and prioritise dictionary words and common passwords, complexity is therefore also important when creating passwords.
However, there is another line of defence which makes most online brute force attacks infeasible. Today, the vast majority of online login forms prevent too many login attempts from being made in a short space of time. Since brute force attacks rely on being able to make billions of guesses, this renders them ineffective online at the app level. However, this does not mean that having high-entropy passwords which are resistant to brute force attacks is unnecessary.
Why brute force attacks are still a threat
While lockout mechanisms are now standard in virtually all cloud applications, some apps may require them to be set manually, as is the case for Windows Remote Desktop Protocol (RDP) ports. With the increasing use of RDP due to the recent trend towards remote working, brute force attacks on these often-vulnerable ports have skyrocketed – at the start of the COVID-19 pandemic, the number of such attacks leaped from 150,000 per day to almost a million.
Password spraying attacks
As an alternative to brute force attacks, many attackers are now deploying a tactic known as ‘password spraying.’ In contrast to brute force attacks, where a large number of passwords are guessed for one account, password spraying attacks guess a small number of passwords for a very large number of accounts. The most commonly-used passwords are prioritised in the hope that at least one account will have matching credentials. While specific accounts cannot be targeted in this manner, it can be a highly effective tool for gaining initial access to an organisation.
Offline brute force attacks
While lockout mechanisms render online brute force attacks ineffective, these protections are not in place for offline attacks against hashed passwords stolen in a data breach. Here, the attackers have unrestricted access, and huge amounts of computing power at their disposal, to crack the hashed passwords. In these instances, weaker passwords are far easier to crack, and the importance of long, high-entropy credentials remain critical.
Enforcing strong passwords with Single Sign-On
To protect against password attacks which exploit weak and re-used passwords, many organisations implement password policies. However, the challenge organisations face is that in order for these to be effective, there is an almost complete reliance on the end-users to opt in and adhere to these policies. Unfortunately, regardless of security policies, users will often choose simple, common passwords that are easier for them to memorise. With the average person having over 100 passwords, end-users refraining from re-using passwords is simply impractical, with most employees regularly re-using personal and business passwords across corporate accounts.
To solve this problem, organisations are increasingly turning to technological solutions which can remove human limitations in generating, memorising and ultimately managing passwords. A Single Sign-On solution can generate high-entropy passwords for users, store them, and automatically enter them into login forms upon applications being accessed. Where supported, password-based authentication for cloud apps can also be replaced entirely by secure tokens such as SAML or OIDC, eliminating the threat of brute force attacks.
By implementing Single Sign-On, organisations can mitigate the cyber risk presented by credentials and password-based authentication. Instead of relying on end users to safeguard corporate data, organisations can solve the root cause of the problem of passwords, and have high assurance that credentials used to protect systems and data are secure.