A brute-force cracking attack indicates that the attacker tries all possible combinations of the account username and password to crack the account name and password or other sensitive information. Attackers often use automated scripting tools to run brute-force cracking attacks.
Brute-force cracking attacks can be divided into the following categories according to their attacking methods:
Dictionary-based attack. Most attackers do not have high-performance cracking algorithms and CPU/GPU. To save time and improve efficiency, they may use social engineering or other ways to establish a cracking dictionary that contains usernames and passwords they can use for cracking.
Exhaustion attack. The attacker first lists possible password combinations, such as numbers, upper and lower case letters, and special characters. Then the attacker makes up different account name and password pairs with the password length ranging from one character, two characters to more characters, and tries the pairs one by one. This attacking method requires high-performance cracking algorithms and CPU/GPU.
Combined attack. The combined attacking method involves combining a dictionary-based attack and an exhaustion attack.
In theory, most passwords can be cracked with a powerful computer and sufficient time.
Remote Desktop Protocol (RDP) for Windows and SSH management protocol for Linux
Software services with logon authentications (such as MySQL, SQL Server, FTP, Web frontend and backend logon interfaces, and other application services)
For defenders, the longer the time left to the attacker, more likely the attacker cracks the username and password. That is why time matters so much for detection of brute-force cracking attacks.
A brute-force cracking attack initiated by automated tools can get the account and password.
Develop a password complexity policy and harden your services. The password must consist of more than eight characters, preferably more than 20 characters. The password must be complex, containing numbers, upper and lower case letter, and special symbols. The maximum validity period of a password must not be more than 90 days.
Enable network access control and strictly limit exposing high-risk service management ports directly to the Internet. We recommend that you use VPN for centralized management and auditing.
Improve internal security awareness and prohibit account lending and sharing.