Crypto-IT Logo
ου γαρ εστιν κρυπτον ο ου φανερον γενησεται ουδε αποκρυφον ο ου γνωσθησεται και εις φανερον ελθη
Wersja PL ENG Version

Brute-Force Attack

During the brute-force attack, the intruder tries all possible keys (or passwords), and checks which one of them returns the correct plaintext. A brute-force attack is also called an exhaustive key search.

An amount of time that is necessary to break a cipher is proportional to the size of the secret key. The maximum number of attempts is equal to 2key size, where key size is the number of bits in the key. Nowadays, it is possible to break a cipher with around 60-bit long key, by using the brute-force attack in less than one day.

Using brute-force attacks may be beneficial against all ciphers in which the number of all possible keys values is smaller than the number of all possible different messages. Therefore, all ciphers may be targeted, with the exception of ciphers providing perfect security.

For breaking ciphers using brute-force attacks, very fast specially designed supercomputers are often used. They are owned by big research laboratories or government agencies, and they contain tens or hundreds of processors. Alternatively, large networks of thousands of regular computers working together may be used to break the same cipher. Cryptographic brute-force attacks are very scalable processes.

Dictionary Attack

Dictionary attacks are a kind of brute-force attacks, in which the intruder attempts to guess a password by trying existing words or popular expressions.

Such an approach reduces significantly the number of possible passwords that have to be tested. On the other hand, users often choose (or are required) to add some additional characters, like numbers, to their passwords, thus making the passwords impossible to be found in dictionaries. The applications that perform dictionary attacks often perform some common modifications of tested words, for example they may append current years.

Reverse Brute-Force Attack

In reverse brute-force attack, the intruder tests a single (usually popular) password against multiple victims. Usually a popular expression, like a word 'password', is tried against a huge number of users. The attacker does not target a specified user but rather the whole system which is used by them.

To prevent such attacks, administrators can ban using some popular and too predictable passwords.