IT Best Practices.
Brute Force Hacking: Are Your Servers Safe?
Hollywood often portrays the hacker as an individual who is highly adept at guessing usernames and passwords. In the real world, servers actually do get hacked in this way. However, the guessing isn’t done by a person but rather by software. The software sometimes does this systematically by using all possible combinations of characters to guess usernames and passwords.
Sometimes they may use to great effect, a list of default usernames and passwords commonly used by lazy people. Because of the software’s speed and the prevalence of weak usernames and passwords, the hacker has a good chance of success.
Even when an individual changes the default username and uses a somewhat stronger password, their server accounts can still be hacked in a reasonable length of time. This is because most people use passwords that are easily remembered and therefore use words with possibly a few numbers appended. These words can be accessed in dictionaries and name lists. Brute force hackers don’t always work alone. They often have access to online resources and communities that share and sell software, word lists, and algorithms that intelligently guess passwords.
Sometimes the login page provides clues that facilitate username and password guessing. For example, the login page can respond to failed attempts with phrases such as “username does not exist” and “incorrect password.” It’s a simple matter to program hacking software to respond to these phrases.
An often used counter-measure against brute force attack is blocking the attacking IP address after a prescribed number of failed login attempts. However, the hacker can circumvent this somewhat by using massive lists of proxy servers with different IP addresses. Therefore an attacker with a list of 5,000 proxies can make 25,000 login attempts when each IP address is blocked after five unsuccessful tries. Another problem with IP blocking is that it may block legitimate users of these proxies.
Another counter-measure is locking out user accounts after a set number of login failures. However, this becomes an inconvenience for the owner of an account that is frequently attacked. The hacker may continue these attempts to effectively deny users access to their accounts.
Many other counter-measures are used for blocking brute force attacks, but each has its weakness that makes counter-counter-measures possible. One can also layer several of these counter measures to present a more difficult target to the hacker. In the end, the most effective security is the use of strong passwords with long strings of randomized characters.
If you require secure and reliable server hosting for your business, please contact us.