What are brute force attacks?
Brute force attacks are trial-and-error attempts to crack an encryption using a large number of combinations. These can be used to guess passwords, encryption keys, API keys or SSH logins. These attacks are often carried out with the help of botnets or scripts to automate the entire process. It is a relatively easy and straightforward method which does not require advanced knowledge on the attacker’s part.
Are brute force attacks effective?
It really depends on the complexity of passwords used. Brute force attacks aren’t the most efficient of attacks as they can take a very long time to crack passwords. This is why most websites have a minimum length and special character requirements for passwords when you first create your account. Well-crafted passwords can take anywhere from 7 years of continuous processing....if the attacker has a system which can send 15 million requests every second! However, this time can be reduced by social engineering or other methods which would narrow down the possibilities of the password. Eitherway, it is still important to protect your websites from brute force attacks.
Time to Brute Force a password
# of Characters | Numbers Only | Lowercase Only | Upper & Lowercase | Numbers, Upper & Lowercase | Numbers, Upper & Lowercase, Symbols |
4 | Instant | Instant | Instant | Instant | Instant |
5 | Instant | Instant | Instant | Instant | Instant |
6 | Instant | Instant | Instant | 1 sec | 5 secs |
7 | Instant | Instant | 25 secs | 1 min | 6 mins |
8 | Instant | 5 secs | 22 mins | 1 hour | 8 hours |
9 | Instant | 2 mins | 19 hours | 3 days | 3 weeks |
10 | Instant | 58 mins | 1 month | 7 months | 5 years |
11 | 2 secs | 1 day | 5 years | 41 years | 400 years |
12 | 25 secs | 3 weeks | 300 years | 2k years | 34k years |
13 | 4 mins | 1 year | 16k years | 100k years | 2m years |
14 | 41 mins | 51 years | 800k years | 9m years | 200m years |
15 | 6 hours | 1k years | 43m years | 600m years | 15bn years |
16 | 2 days | 34k years | 2bn years | 37bn years | 1tn years |
17 | 4 weeks | 800k years | 100bn years | 2tn years | 93tn years |
18 | 9 months | 23m years | 6tn years | 100tn years | 7qd years |
How can you protect yourself?
There are few methods which can be implemented by website owners to protect themselves.
1) Mandate a minimum length of 12 characters for their website passwords that includes upper/lowercase letters, numbers, and special characters.
2) Lock accounts for a certain length of time after multiple failed attempts. Also add a delay of about 2-5 seconds after every failed attempt.
3) Use 2FA (Second Factor Authentication). However, this system alone can still be bypassed by other types of social engineering attacks and so it should be used in conjunction with other security methods.
4) As users, it is important to use different passwords for different websites. If a website is compromised and the passwords used on it are leaked, at least your accounts on other websites would be safe. Hackers like to use leaded passwords across multiple accounts because people almost always re-use passwords. This is known as a credential stuffing attack.
5) Users should also be careful about where they enter passwords or other important credentials lest they fall prey to phishing attempts. You should always check to see if the address you are at is correct before entering your details.
How can Polaris help you?
If you are a website owner and afraid of how brute force attacks might affect you, Polaris has multiple features which would prevent brute force attacks.
1) Scanning for suspicious traffic
Polaris automatically scans all incoming traffic before admitting it to your website. If incoming traffic from a specific IP is suspicious and has the characteristics of a brute force attack, it will be identified and blocked. Furthermore, previously identified and blacklisted bots on our system will also be blocked.
2) Captcha Protection
If unusual activity is detected from a certain IP, a captcha challenge will be issued to the IP before they are allowed to visit the website. If the IP is a bot or a script, it would not be able to get past the challenge easily. Repeated unusual activity will result in the IP address being blocked for some amount of time.
3) White-Listing
Polaris also makes it possible for only certain users to access the website. This is done by white listing the IP addresses of those users, which would prevent everyone else from accessing the site.
4) Geo Blocking
If you cater to specific markets only, it is possible for you to geo-block IP addresses from other countries. For example, if your website only caters to Singapore users, you can block IP addresses from other parts of the world from accessing the site.