A brute force attack doesn’t need a Hulk


You can’t get into your account after a few failed password attempts. How come hackers seem to get in by trial and error?

password under magnifying glass. Hackers don't need your password to mount  a brute force attack. Most online systems do not have access to their users’ passwords, much less do they store them. Instead, when you create a password, an algorithm creates a string of characters and numbers known as a “hash”. The same algorithm will always produce the same hash from the same password. However, it is not possible to start with the hash and work backwards to discover the password that created the hash.

So, when you type in your password, the system re-creates the hash from what you just typed in and if it matches the hash that they have on record then you must have entered the correct password. Your password is supposedly safe in the online system because no-one can work backwards from the hash to discover the password.

However, when a data breach occurs, it is quite common for a list of user names and the hashes of their associated passwords to be stolen. This list is the first thing that our hacker needs. He (or “she” of course) will probably buy the list on the dark web.

Brute force attack

The second thing that Mr/Ms Uptonogood needs is a computer program that generates passwords and then calculates the hash that each password produces. Such programs are easy to acquire, and many are free. His program will then systematically compare each hash thus generated with the list of hashes he has purchased. If he finds a match he simply pairs up the username (that he has bought along with the hashes) with the password that produced the matching hash. Et voila, he now has a username/password combination. This is known as a “brute force attack” because the hacker just keeps trying passwords without any prior knowledge of what the correct password might be.

He does not need to keep entering password guesses into the system he is trying to get into. He has done all the work “offline”. A correct username/password combination will be entered correctly the first time. This is  just the same as for the rightful owner on days when their fingers are not fat.

More sophisticated than brute force

World Password Day - encouraging good passwords and reducing brute force attacks
Please try to contain your excitement

This is only the beginning of what he can do. As time goes by, more and more actual passwords are revealed in data breaches and through other means, and so there are growing lists of ALL the passwords that have EVER been discovered to be in use. So instead of starting his search by trying the hashes of every two letter combination of possible passwords, and then three letters, etc, he might well start his “work” by comparing the hashes of passwords that are already known to have been used in the past. That is one of the reasons why you must never use the same password twice and never use a password that someone else might have used.

There are plenty of other techniques he can use as well. For instance, he can use a list of the hashes of every single dictionary word that exists. So if you thought you were being clever by using “antidisestablishmentarianism” as your password, then maybe you were wrong. Maybe someone has used that word before and it has been involved in a known data breach. Or maybe the hacker is deriving hashes from dictionary words.

min 10 chars
..but I recommend longer

I know I keep banging on and on about passwords. The fact is that passwords are undoubtedly the biggest source of major problems amongst my IT Support clients. You really must take this stuff seriously.

Lastly, some systems will still allow you to get away with creating passwords of only eight characters. That is not enough. Hackers can whizz through the combinations of up to eight characters in a few minutes. Go for an absolute minimum of 12. These days, mine are usually in the range of 15-25 characters.