What is a brute force attack, and what's the best defense?
by Oliver Haslam
A brute force attack is exactly what it sounds like: an attacker using sheer force of repetition in an attempt to gain access to a computer, website, or anything else that requires some form of authentication. Thankfully, it’s very easy to increase your protection, and we’ll explain how in just a moment.
A brute force attack essentially involves spending time and computer power to guess at some form of authentication. That may be a username and/or password, or it could be the a passcode used on a smartphone. It could even be the PIN on a bank card, but no matter what it is, the idea of a brute force attack is to repeatedly attempt to guess the correct combination of characters required to gain access.
As computers gain in speed and attackers improve their tools, they get better at cracking passwords, especially if those passwords are of poor quality. It’s for this reason that strong, unique and lengthy passwords are of the utmost importance.
A current method is to use high-powered gaming graphics processors in an attempt to speed up the rate at which passwords are guessed. Another is to gain control of many remote computers, via trojans and the like, to allow their processing power to be pooled together, creating a distributed supercomputer of sorts.
This is one reason why strong, unique passwords are so incredibly important. The longer and more random your password, the longer it will take to crack.
In order to make it more difficult for attackers to gain entry to your accounts by brute force, there are some steps you can take. As we have already covered, making sure that a password is sufficiently lengthy while making use of all of the character types available is a great start, and it’s also important to remember that while you may think you’re choosing a random password, you very likely are not.
For this reason we suggest using the 1Password password generator — which is also built in to the 1Password apps — when creating new passwords.
With this, you can choose how long you want your new password to be, and how complex. Combining upper and lowercase letters with digits and special characters thrown in for good measure should be used wherever possible.
You can make your passwords even longer, if you like. Here’s what our Chief Defender Against the Dark Arts, Jeffrey Goldbery, has to say on the matter:
“If the world’s fastest computer could check a password as quickly as it can add two numbers, and if you had a billion of those computers all guessing passwords, it would take more than a million times the age of the universe to go through all of the 52²³ possibilities from a 23 character password created with the Strong Password Generator included with 1Password.
Put even more simply: nothing is going to crack a password generated with our Strong Password Generator this way.“
And of course, because you’re using 1Password, you don’t need to be able to remember the password, either — so using a super secure password is just as convenient as a short one when it comes to logging in.
When choosing a passcode, making sure it is of sufficient length is important, as is using digits as well as letters. As an example, if you select a password with just two characters in it, there are 100 possibilities as to what that passcode could be. However, if you create a password with a combination of ten digits and letters, the possibilities grow to 171.3 quintillion (1.71 x 1020.) That’s a huge number, and even with some machines able to test 10.3 billion passwords per second, such a password could need 526 years in order to reach the correct result.
Another way to look at this is something called password entropy, a way of specifying and identifying password strength with entropy measured in bits. Rather than stating the number of guesses needed in order to be able to guess the correct password, a base-2 logarithm of that number is given, known as the number of “entropy bits” in a given password. Things start to devolve into complex mathematics pretty quickly here, and more information on password entropy is readily available online.
With all of this in mind, we recommend a password that’s at least 20 characters, made up of letters, numbers, and special characters like like ^, \, and ~. The more characters you use, the longer it will take anyone — or anything — to crack your password.
Now would also be a great time to go through your existing passwords and make sure that they meet our new minimum criteria to ensure nothing falls through the cracks. We’ve spoken about Watchtower before, but it bears covering again. Watchtower, built right into 1Password 7, is invaluable when it comes to making sure passwords are unique and are not known to have previously been compromised. Why not take a few minutes to make sure that your passwords are safe and secure, changing those that don’t cut the mustard?
Many of the things that can be done to help protect against brute force attacks aren’t actually in the hands of users, but rather the websites and services that they use. Limiting the number of successive password attempts is a prime example of something a service can do, as is enabling multi-factor authentication. If you have an account that supports multi-factor authentication but do not have it turned on, that’s a great step you can take to help protect yourself. This way, even if someone was able to crack your password, they wouldn’t be able to log in.
As with many things in life, we can reduce the risk as much as possible by making the right decisions and implementing the correct systems.
The good news is that by using 1Password, Watchtower and strong, unique passwords you’re well on your way to doing both of those things.