May 15, 2017 237 M+W

Understanding Brute Force Attacks and How to Avoid Them

Website security is one of the top concerns for site owners, and that’s as it should be. Failure to invest in a security certificate or choosing a less-than-reputable web host can lead to downtime or, worse, hacks into customers’ private information.

Another common security risk is a brute force attack, and it’s not what you might guess. Brute force attacks have to do with passwords and how bad actors can gain access to your website without your knowledge. They calculate every possible combination that could be included in a password and then test them one after another. The attempts are made in milliseconds. That means short, simple passwords can be found quickly, but longer, more complex passwords could take months or years to unravel.

As the name implies, a brute force attack requires just that: a large amount of force – in this case, computer force. There is no elegant algorithm at play here, it is simply a huge number of attempts per minute conducted by an automated computing resource. The attacker may try different combinations of number and letters or it may just input a variety of known words. Or, if it’s trying to crack a PIN code, it enters every possible combination until it hits on the right one.

If you think about encryption as math, then a brute force attack involves high-speed computing in which all possible answers are attempted until one is correct. Now, this approach isn’t very effective in certain formats because a certain number of incorrect password attempts will eventually lock out the user. But when data thieves have stolen encrypted documents on their own computers, they can try brute force for as long as they need to get it open.

So, what does this mean for the safety of your website and its users? Multilevel encryption and strong passwords are key. Here are some actions you can take:

  • Use strong encryption algorithms. As new options become available, upgrade immediately.
  • Create strong passwords. Long, nonsensical letter and number combinations are the safest.
  • Keep encrypted data where attackers can’t access it.
  • If your site allows users to log in over the internet, make sure to set an automatic logout after periods of inactivity or a certain number of incorrect password attempts.

Do you wonder whether your site and data are sufficiently secure? We can take a look and offer suggestions for improvements if warranted. Reach out today for assistance!