Effectively Test for Brute Force Attacks: Reasons, Methods and Tools for More Security on the Internet

The importance of IT security continues to grow. Two-thirds of all SMEs experience a cyberattack each year. Attackers do not always come through the back door -- instead of exploiting security vulnerabilities or social engineering, they rely on brute force. Brute force attacks are among the oldest methods for gaining access to a system. In this article, we explain how you can protect yourself against brute force attacks through targeted testing and which tools are available for the task.

Protect Against Brute Force Attacks with Targeted Tests

The principle behind brute force attacks is remarkably simple: an attacker gains access to a system by systematically trying passwords or using software to automate the process. Brute force attacks are particularly insidious because, unlike security vulnerabilities, they can never be fully prevented. The weak point lies in the password itself and in how it is verified. There is no fundamental protection against brute force attacks, since the ability to access a website, database, or computer is not a security flaw but an intended feature. Effective protection against brute force attacks therefore requires targeted tests that evaluate both password strength and the authentication process.

Checking Password Security with John the Ripper and Hashcat

When attackers obtain a database of user data, the database alone is of little use to them. Sensitive data is almost always stored in encrypted form as so-called hashes. These hashes appear to be random character sequences, but each one represents a specific set of user data. However, attackers now have the opportunity to attempt decrypting these hashes at their leisure. If you want to protect yourself against such scenarios, you should take the same approach as the attackers: use a password cracker to test the strength of your passwords.

John the Ripper was one of the first brute force tools. At the time of its release, graphics cards were rarely used in commercial settings, so the tool relied exclusively on the CPU for its attacks. Support for GPU-based password calculations was added later but does not match the performance of a modern brute force tool like Hashcat, which prioritizes GPU-based calculations from the ground up. Both tools are free and backed by a large, dedicated community.

Testing Brute-Force Attacks Under Real-World Conditions with THC Hydra and Patator

With John the Ripper and Hashcat, you only test password security -- not the login process itself. To test your system under real-world conditions, use tools like THC Hydra. THC Hydra establishes numerous connections to the target server and tries passwords from a predefined list. The software offers a wide range of configuration options to simulate an attack in its full scope and put the system through its paces.

An alternative to Hydra is Patator, a compact Python script designed as a leaner and more flexible solution. However, the greater flexibility comes with more complex operation via the command line.

Conclusion: Protecting Against Brute-Force Attacks Through Testing

Brute force attacks remain a significant threat even in the era of two-factor authentication and AI-powered systems for detecting suspicious server activity. This attack vector is nearly impossible to eliminate, since no system can function in complete isolation. By conducting tool-supported tests, you simulate real brute force attacks to determine whether your system can withstand an assault while uncovering potential weaknesses in server configuration or password security.