What Is a Brute Force Attack?

Exhaustive Attack

The exhaustive attack refers to generating a set of all possible passwords based on a preset password length and a selected character set, and performing a blanket search in the password set. For example, if a 4-digit password containing just digits involves a maximum of 10,000 combinations, it can be decrypted within a maximum of 10,000 attempts. While this method can theoretically be used to crack any password, the time required to do so increases exponentially as passwords grow in complexity.

The exhaustive attack can be used to guess a randomly generated SMS verification code and the like, since the possibility of occurrence of various randomly generated passwords is the same and is not affected by human memory.

Dictionary Attack

The most frequently used passwords are stored in a file, which is known as a dictionary. A dictionary attack involves an attacker trying every password in the dictionary in an attempt to uncover the real one.

The dictionary attack is usually used to guess manually set passwords. The possibility of using such a password is related to how easy it is to memorize. 12345678 and "password" are more likely to be used as a password than fghtsaer. The dictionary attack has a slightly lower hit rate but takes less time than the exhaustive attack.

Rainbow Table Attack

A rainbow table attack is a type of dictionary attack that can effectively crack hash algorithms, such as MD5, SHA1, and SHA256/512.

To enhance security, a website does not store user passwords directly in a database. Instead, the website hashes each password into a string of meaningless characters. The hash algorithm is irreversible, meaning no decryption algorithm can be used to restore the original passwords. There are two methods to crack a hashed password. One is to try all possible combinations of a password using the exhaustive key search, and then compare each result with the target hashed value using the hash encryption algorithm, which is extremely time consuming. The other method is to generate a mapping table of all possible passwords and corresponding recomputed hash strings in advance, which is space consuming. For example, if a password is an alphanumeric string of 14 characters, the mapping table of passwords and 32-digit hash strings occupies a storage space of 5.7 x 10¹⁴ TB.

A rainbow table is a time-space tradeoff method. The core idea is to hash a cleartext string to obtain a hashed value, use the reduction function to compute the hashed value to obtain another cleartext string, and repeat the preceding steps to generate a hash chain. Then only the start and end strings in the hash chain is stored in the table, with the middle strings deleted. As such, the storage space to be consumed is reduced by half, and the number of calculation times does not increase greatly. Various reduction functions are used to compute hash chains, with each chain represented by a different color, leading to a rainbow effect. Hence the name is "rainbow table".

Rainbow table

When using the rainbow table to crack passwords, even an ordinary PC can reach an astonishing speed of more than 100 billion times per second. To improve security, a string may be hashed multiple times. For example, MD5 is performed again after a previous MD5 process. Also, a device adds a string (which is called salt) at the beginning and end of an original password to increase the password length, and then performs the hash operation. All the results can be added to the rainbow table. The most complete rainbow table can be used to crack about 99.9% of existing passwords on the Internet.

Manual Optimization: Enhancing Password Security

• Increase the password length and complexity.

  A password should consist of digits, uppercase letters, lowercase letters, and special characters. The longer a password is, the longer the time is taken to crack the password. If a password exceeds a certain length, it cannot be cracked by brute force attacks. For example, a server cluster can make a maximum of 350 billion attempts per second. It takes only 4.08 seconds to crack a 6-digit password, 6.47 minutes to crack a 7-digit password, 10.24 hours to crack an 8-digit password, 40.53 days to crack a 9-digit password, and 10.55 years to crack a 10-digit password.

• Use different passwords in different places.

  Repeated use of the same password for e-mail, banking, and social media accounts is more likely to result in identity theft. The abbreviation of a website name can be used as the suffix of a password. In this way, an independent password is used at each website and is not easy to forget.

• Do not use words from the dictionary, digit-only combinations, combinations of adjacent keys on a keyboard, or strings of repetitive characters.

  For example, do not use "password", 12345678, asdfg, aaaa, or 123abc.

• Avoid setting passwords comprised of people's names, non-confidential personal information (phone number, date of birth, and so on), or names of relatives, children, or pets. When we click on the "Forgot Password" link at some websites, the system sometimes asks a series of private questions. However, the answers are usually found in our social media profiles, making the accounts easier to crack.
• Regularly change passwords.

System Enhancement: Brute Force Cracking Prevention Design for Passwords

The following techniques can be used during system design:

• Lockout policy: A user is temporarily locked if the user enters incorrect passwords for a specified number of times.
• Verification code: Users can log in to the system only after completing simple tasks, which can be easily completed by users but cannot be completed by brute force tools. For example, a graphic verification code or SMS message confirmation is required.
• Password complexity requirement: Users are forced to set a long and complex password and change the password periodically.
• Two-factor authentication: Two authentication factors are combined to authenticate users. For example, any two of the following are combined: the password, ID card, security token, fingerprint, facial recognition, and geographic information.