by peter


Brute Force Attack Explained


Risk Rating: Medium
Likelihood: 2/5
Impact: 3/5


  • Poor account locking mechanisms
  • Lack of compromised account detection
  • No login velocity checks
  • Poor Geolocation detection

Brute Force Attack Overview

In a now infamous brute force attack, over 90,000 PlayStation and Sony Online Entertainment accounts were compromised in 2011. Hackers attempted countless username and password combinations from an unidentified third party, eventually ransacking members’ accounts for personal information. The now-discontinued Club Nintendo also fell victim to the same type of attack in 2013, when hackers executed a coordinated attack on over 15 million members, eventually breaking into over 25,000 forum members’ accounts. All compromised accounts were suspended until access had been restored to the rightful owners — but the damage to brand reputation had already been done.

What you need to know

A brute force attack aims to take your personal information, specifically your username and password, by using a trial-and-error approach. This is one of the simplest ways to gain access to an application, server or password-protected account, since the attacker is simply trying combinations of usernames and passwords until they eventually get in (if they ever do; a six-character password has billions of potential combinations).

Detecting brute force attacks is an every day aspect of a 24x7x365 Security Operations Center. You should check and ensure that if you have a SOC, they are detecting these. One way to ensure that your SOC is performing, and you are detecting things like brute force attacks is to put your organisation through cyber security testing.

Preventing Brute Force attacks is rather simple. The simplest way in the world is to force the users to use two factor authentication. If that is not an option, lock accounts for 15 minutes after three consecutive failed login attempts. There really is no excuse for being able to brute force a user account.

How the attack happens

The most basic brute force attack is a dictionary attack, where the attacker systematically works through a dictionary or wordlist — trying each and every entry until they get a hit. They’ll even augment words with symbols and numerals, or use special dictionaries with leaked and/or commonly used passwords. And if time or patience isn’t on their side, automated tools for operating dictionary attacks can make this task much faster and less cumbersome.

Attack Sources

Thanks to the ease and simplicity of a brute force attack, hackers and cyber criminals with little-to-no technical experience can try to gain access to someone’s account. The people behind these campaigns either have enough time or computational power on their side to make it happen.