Brute Forcing

Before we start discussing about brute forcing let's get an idea about what is the meaning of brute and force. Brute means violently where force means making a way through or into by physical or logical strength. We use this term in computer security area to describe an event where an attacker tries to crack passwords of a login page or somewhere using every possible combination of some characters. Number of characters can be different from scenario to scenario.
Example : I know that youcanthackme.com website allows users to provide only digits in their passwords. Therefore I only consider about the combinations that can be made out of 0-9. This makes brute force attack fast.







 Brute force tools

1. Aircrack-ng
2. John the ripper
3. Rainbow crack
4. Cain and Abel
5. L0phtCrack
6. Ophcrack
7. Crack
8. Hashcat

These are some well known brute force attack tools.

As we all know to store password in databases almost everyone use hashing instead of encryption. Once you provide the password in the login form system take the hash value of it( salting is also happening) and compares with the initial stored hashed password. Only these two matches system will allow the user to enter. In here if you are really considering about brute force attack you can use a slow hashing algorithm. Assume that you have a brute force tool that feeds 50 combinations in a second. If the hashing algorithm cannot catch up that speed the attack will be crashed.

examples for slow hashes - bycrypt, PBKDF2, scrypt




Thank you guys. Hope you learned something from this blog post. Cheers.