Password Brute Forcing
Password brute forcing is a systematic authentication bypass technique within the Gain Access phase where attackers attempt to discover valid credentials by exhaustively trying numerous password combinations against known usernames or accounts. Unlike more sophisticated attacks, brute forcing relies on computational power to methodically test permutations from predefined dictionaries, common password lists, or algorithmically generated strings until successful authentication occurs. This technique exploits the fundamental weakness of password-based authentication systems - that given enough attempts, any password can be eventually discovered. Attackers typically employ specialized tools like Hydra, Medusa, or John the Ripper that can execute thousands of attempts per second against various authentication interfaces including web forms, SSH, RDP, SMB, and API endpoints. Organizations often implement defensive countermeasures such as account lockout policies, rate limiting, CAPTCHAs, multi-factor authentication, and intrusion detection systems specifically to mitigate the effectiveness of these systematic credential attacks.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-Factor Authentication | Enforce MFA so even successful password guesses cannot establish sessions. |
| M1044 | Restrict Application Spear | Implement exponential back-off and CAPTCHA after successive failures. Block IPs that exceed thresholds. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Application Log | Alert on sustained high-rate login failures from single IP or distributed set ("low-and-slow" brute force). |
| DS0029 | Network Traffic Flow | Detect bursts of small POST requests to /login with no accompanying asset fetch—signature of automated brute scripts. |