How valuable is your data? How secure is your password? For anyone who uses internet services, the answer to both of these questions is probably quite concerning.
Even though you might not always understand why the data you leave in the hands of large internet companies can be very valuable indeed. At the same time, the security measures you have in place might not be as good as you think. Hackers have a long list of tools they can use to get at your juicy information.
The brute force attack is the baseline against which the security of data protection techniques is measured, but what is a brute force attack exactly?
Before we can understand what a brute force attack is, we need to quickly review the use of encryption to protect data. Encryption is a set of mathematical techniques used to obscure the true meaning of data.
Pig Latin, the mock language that children sometimes use, is a simple form of encryption. The phrase “hello hackers” becomes “ellohay ackershay”. If you know how the pig Latin words are formed, it’s simple to get the original English back. If you don’t and you can’t figure it out, the original meaning is protected.
Now, modern computers use incredibly complex math to encrypt data. Everyone knows how they do it, but the trick is that each time something is encrypted, a unique string of characters called the encryption key gets plugged into the formula. Without that key, you have no way to reverse the encryption and get the original data back.
A brute force attack is aimed at guessing that encryption key – which is, as it turns out, incredibly difficult.
Brute Forcing the Combination Lock
The simplest explanation of this is to use the humble combination lock as an example. The sort of thing you’d use to secure your bicycle. If you have a lock with three tumblers, then possible combinations range from 000 to 999. That’s a thousand potential combinations. By adding a single tumbler, you increase that by an order of magnitude, to 10 000 combinations.
The encryption keys we use these days are much, much longer than three or four digits. They also use letters, numbers, and symbols. So the potential number of combinations is so high that not even the fastest supercomputers in the world have any realistic chance of guessing the correct key combination. There’s not enough time left in the universe!
The password you use to log into internet services and the code you use to access your phone are also encryption keys. Without that code, your data and services can’t be accessed. The longer and more random your password is, the less likely a brute force attack has any chance against it.
A simple brute force attack isn’t actually a practical way to get into someone’s data. However, it is a useful way to benchmark how much better other forms of encryption and password cracking are. For example, if a simple brute force attack would take a million years to crack a password and another technique could do it in a mere millennium, that’s a big improvement. Although, in both cases, you and the hacker would both be well past caring.
What’s at Stake
The answer to that is basically “everything,” but if a password or encryption key does get cracked, the treasure is all open to the cracker. That could be something as benign as your holiday photos to something as critical as social security numbers or credit card details.
There are myriad ways hackers exploit stolen information, some of which might not even occur to us. Some do it for profit, some do it for mayhem. There’s no purpose that’s good for the owner of the data!
Smarter Variations of Brute Force Attacks
Since the simple brute force attack isn’t all that useful, why even bring up the subject? It’s mainly because there are smarter versions of the simple brute force attack that can actually break passwords (though not strong encryption) in usable time frames.
Dictionary attacks make educated guesses about passwords based on known passwords that have already been cracked, common words, common number combinations, and so on. Since most people come up with passwords that they can easily remember, using a dictionary attack reduces the number of possibilities. When applied to an entire database of stolen accounts, it’s even more likely that some will be quickly cracked.
Hybrid brute force attacks mix dictionary and simple brute force methods. So known words combined with small sections of random numbers and letters can be cracked with more ease.
Reverse brute force attacks are also pretty interesting. Here, the hackers already know a password, so they try it against millions of accounts looking for a match. If you use the same passwords on multiple accounts, that’s a big problem too!
Hardware Performance Boosts
While the hardware to achieve simple brute force cracking doesn’t really exist for the sort of strong encryption we use today, passwords are a different matter. Modern CPUs are pretty fast, but modern GPUs have thousands of tiny processors that can work on these problems in parallel. So with enough hardware grunt, it becomes much easier to break user passwords at the very least.
With the advent of quantum computers, it may soon be possible to break even strong encryption almost instantly. At that point, we may be forced to use quantum encryption in order to secure things again.
Protecting Yourself From Brute Force Attacks
So what can you do to make it less likely that your own passwords will be compromised through brute force methods? It’s actually easier than you may think:
- Don’t use the same passwords on multiple accounts.
- Only use randomly-generated strong passwords.
- Use a password manager to store your passwords instead of memorizing them.
- Close and delete accounts you no longer us if possible.
- Use two-factor authentication where possible.
These basic rules will thwart most password cracking attempts. The rest is in the hand of the company that keeps your data. Data breaches aren’t something you can do much about, but it’s worth looking into what the security and encryption policies are of the companies you trust to keep your data safe.