After the hacker attack: How you can protect yourself from brute force attacks
29.8.2017
Translation: machine translated
Switzerland has been hit by a brute force attack. The federal government has responded and put a tool online that you can use to find out whether your account has been affected. As the attack is targeting passwords, let's take a look at passwords and strategies.
The Reporting and Analysis Centre for Information Assurance Melani warns: A large-scale attack has been registered in Switzerland. The attackers have unleashed a brute force attack on a server in Switzerland and compromised 21,000 usernames and passwords.
I'd like to take this as an opportunity to explain the concept of a brute force attack and give you some advice at the end on how you can help to ensure that such attacks remain largely ineffective.
What is a brute force attack?
Brute force attacks are attacks that essentially - and in somewhat simplified terms - do the following:
- Calls up the login form of the site
- Enters an email address as login
- Tries out password after password, following a dictionary
- The server responds with either "Password incorrect" or "Login successful"
- If "Password incorrect" is sent in response, the attacker tries the next word in the dictionary
Update: User YouShook figured out what was bugging me. I have adjusted the regex. Thank you, YouShook.
[a-zA-Z0-9\w]{6,8}
Should fit. If not, please leave me a comment with the correct regex. The longer I stare at it, the less [\w] seems to be correct.
Translated, the regex means the following:
- entire alphabet, both upper and lower case
- digits
- punctuation marks
- {6,8}: Between six and eight characters long, as it makes no sense to test shorter passwords
The RegEx not only tests strings of special characters, but also words. So if your password is "digitec1", then this is included in the RegEx, because the RegEx does not differentiate between human words and random character strings.
In most cases, a brute force bot proceeds according to a list of email addresses or other login names purchased online and tries its dictionary per account.
- hans.muster@example.org/aaaaaa
- hans.muster@example.org/aaaaaaa
- hans.muster@example.org/aaaaaaaa
- ...
Depending on the bot's computing power and latency in the target, such an attack can be over in minutes or last several hours.
However, there are variants of a brute force attack. The one described above is the simplest, but also the most complex. However, hackers are lazy and often take advantage of statistics. Wikipedia maintains a list of the most commonly used passwords, which has been compiled after analysing hacks with significant data leaks.
A third variant is that the hackers buy a list of usernames and passwords from another hack and then apply these username/password combinations, i.e. the credentials, to a site. This attack can be very effective as many users have the nasty habit of using the same password and login for multiple sites and also as access to their credit card. It is therefore possible that the credentials from site A also work on site B.
After reading the Melani report, I suspect that the third variant was used in the attack. It's not explicitly stated, but reading between the lines it strongly feels that way. In particular, their check tool also indicates that the Melani is in possession of the list used by the attackers.
What can I do?
Yes, but my password is already "eCSD,827c" and that's not secure?
Passwords are a tiresome topic that will probably not be discussed any time soon. You and I know password guidelines like the following.
- At least eight characters long
- At least one number, with 1 being discouraged
- At least one special character
In RegEx, by the way, it looks like this
[a-zA-Z0-9\w]{8,}
At the end you have something like eCSD,827c as a secure password. Or something like "d!gItec1". Both work, but are more practical for machines and less for humans. Because it is difficult to memorise something like this. The thought "It's digitec1, but the first i is a ! and the second is capitalised" is not very intuitive. I would therefore like to suggest an alternative solution that works quite well in itself.
It is the so-called xkcd password, named after an issue of the webcomic xkcd.
The theory behind the password is simple:
- Take three or four human-readable words and string them together
- Take a number as a separator or a special character
- Add something to the end, either a separator or a number
At the end you will have a password like "catconfusedlondon5". Long enough, you've already memorised it and the only abstract thing about it is the number at the end. And a 5 is easy to remember. The password is 23 characters long, so an attack that starts with eight characters will sooner or later get past the confusing cat, but it will take a very, very long time.
This still doesn't solve the problem with "multiple sites, one password".
"But I don't want to have to remember a hundred passwords!"
With both managers, it is possible to assign and save passwords without ever seeing the password. I find that kind of creepy, but it works well.
If you still want to use the same password everywhere, Melani recommends the following measures:
- Change the password of all online accounts that are linked to the affected email address (email account, online shops, e-banking, social media, etc.).
Use a separate password for each internet service/online portal.
- Enable 2-factor authentication wherever possible.
- Check any kind of bank statements, iTunes debits, etc. over the next few weeks. If you notice any irregularities, please contact your bank or the relevant company immediately.
- Inform all persons listed in the e-mail contacts that they should be careful when receiving e-mails with your sender and, if in doubt, contact you.
So, that's it. Now it's your turn. I've told you a lot about brute force attacks and how to defend against them. Now it's up to you to help make sure you don't get hit. <p
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.
Background information
Interesting facts about products, behind-the-scenes looks at manufacturers and deep-dives on interesting people.
Show all