A brute-force attack, also called exhaustive key search, is essentially a game of guessing and can be executed against any type of authentication system.
Encryption keys are particularly vulnerable to brute-force attacks, as there is no easy way of limiting the number of guesses an attacker can make to crack it. It is, therefore, possible to keep entering every single possible password until the correct one is happened upon.
Simple numeric passcodes
A password’s length and complexity make it possible for us to calculate how many guesses it would take to crack it.
For example, a typical four-digit door code would have 10,000 different combinations, from 0000 to 9999. It’s easy to calculate that if passwords are entered randomly, the correct door code has a 50% chance of being guessed within 5,000 attempts.
While it might be dreary to enter so many different keys for a human, we could build a little robot arm to do it for us, or even find a way to enter the codes electronically. If it takes our little robot arm one second to enter a code, we could open any such door within 167 minutes—less than three hours.
Making systems more secure by limiting the number of guesses
There are a few ways to make the aforementioned door more secure. We could, for example, only allow three guesses before the door code reader is locked inside a box that requires a physical key to open. The chance of correctly guessing the right door code would then be slashed to 0.3%, a number sufficiently small to hopefully put off an attacker.
Bank cards often use this mechanism; after a certain number of failed attempts, the ATM will retain the user’s card.
Phone SIM cards also often only allow a limited number of password guesses, after which a much longer PIN Unlock Key (PUK) is needed to access the card again.
The downside of this is the inconvenience. A secondary passcode system will make a door lock, bank card, or phone unusable for a certain amount of time. Also, if the PUK is not stored securely, it could pose an entirely new security risk.
An alternative system is to only allow a certain number of password guesses per minute. If you can only attempt to unlock the previously mentioned door once per minute, for example, it would take up to 167 hours to open the door. That’s almost exactly a week, and most likely enough to make an attacker not bother trying—or long enough for the rightful owners to detect the attack.
Nothing can limit the number of guesses for encryption keys
Limiting password attempts is only viable for a device or online service, however. If the attacker has access to an encrypted file, or the attacker has intercepted your encrypted communications, there is nothing that can limit the number of guesses they can make.
The only option in such cases is to increase the length of the passcode, making it more secure. For each added digit to a password, it becomes ten times more time-consuming to guess. A six-digit door code, for example, would take almost 12 days to crack at one guess per second.
Making longer passcodes comes at a cost, though, as they become more and more difficult to remember. And when it comes to pure guessing, computers can easily guess a billion numbers per second, so passcodes need to be extremely long. An 18-digit passcode would take over a year for a computer to guess, but could you remember a code that long?
Complexity is as important as length
Allowing for more complex passcodes greatly improves security. If we only allow numbers, there are only have ten possible entries per digit (0-9). Further allowing lowercase letters increases this to 36 entries per digit (0-9, a-z). Adding uppercase letters will increase to 62 entries per digit (0-9, a-z, A-Z).
Using the original Unicode table (the Latin character set) would further increase every digit to 95 possible entries. Allowing for other scripts, such as Arabic or Greek, quickly increases this number even further.
There are over 120,000 characters, symbols, and emojis in the current Unicode set—all of which can be used for a good password. Just using any two of those characters together produces a password with over 14 billion different possibilities. Adding a third makes it a quadrillion possibilities.
If we assume a computer can guess a billion passwords per second, it would take over a million seconds to find a three-character password using the Unicode set—about 12 days. Making passwords more complex is as powerful as making them longer, but they are generally much easier to remember.
Random is important, but humans are bad at random
In reality, passwords are rarely random. Humans systematically fail at coming up with truly random passwords, making some variations of the brute-force attack feasible.
For example, we may choose single popular words when asked to create a password, reducing the complexity of our passwords greatly. While there are 300 million possible combinations for a six-letter password, even if we only allow lowercase letters, attackers will start with most commonly used English words, which often yields results. Such an attack is called a dictionary attack.
A dictionary attack is often combined with knowledge of the most commonly used passwords. We know the popularity of certain passwords from previous password breaches. The password 1234, for example, unlocks over 10% of all phones. The passwords 1111 and 0000, a further 8%.
Given three attempts to crack a password, in theory, there is a 0.3% of cracking the password, but in practice, it is closer to 18%.
It should greatly increase the complexity of a password when certain letters are replaced with special characters, such as “Pa$$w0rd.” However, the way in which humans replace these letters is fairly predictable and it does not add much randomness. It is easy to guess popular replacements, such as e -> 3, a -> @, o -> 0 or s -> $, then check for these. This is often referred to as character substitution.
If a computer or an attacker has the opportunity to learn about the user it can greatly reduce the number of attempts required to crack their password. Many people add their birth dates or birth years to passwords. Others use the name of their spouse, child, or pet. Some might capitalize certain characters, or simply include the URL of the site that they use that password for—things an attacker can easily guess.
A common formula for a password is a word that starts with an uppercase letter, followed by a number, and ending with a special character, EG Word1111!. If an attacker obtains some knowledge of his/her target they might use this pattern but replace the content with information pertinent to the victim. This is called pattern checking.
The best protection is a strong, random password
Limiting the number of guesses per second, or the total number of guesses before an account gets locked down, goes a long way to protect you from brute-force attacks.
With encryption keys such limitations are not possible, so the best way to defend against a brute-force attack is to use a random password generator, either as a standalone tool or as part of a password manager. You can also use the Diceware technique.