How the YubiKey protects against brute-force attacks: technicalities of attacks and key encryption
Brute force attacks are one of the most common hacking methods. It is considered one of the simplest, because in fact, in order to start an attack, an attacker only needs to know the login and have the appropriate software. The latter tests different combinations in turn.
Any password can be cracked this way, but the longer it is, the more time it will take for a hacker to penetrate. Although an attacker can speed up the operation by using heuristic optimization.
What we will talk about:
How a brute force attack works
One of the most common brute-force methods is called a “dictionary attack”. Its essence is to select combinations of different letters and numbers. Each password has a certain number of characters. Let’s denote it by N. Usually, passwords use all the letters of the Latin alphabet – that’s 26 characters. Each of the letters can be in upper or lower case. So that’s twice as much. And if you add numbers, that’s 10 more characters. So, we have the number of attempts:
- 26N — if the password consists of small letters;
- 36N — if the password consists of lowercase letters and numbers;
- 52N — if the password consists of lowercase and uppercase letters;
- 62N — if the password consists of lowercase and uppercase letters and numbers.
Let’s see how many attempts will result if the password consists of 6, 8, and 16 characters.
|Number of attempts||6 characters||8 characters||16 characters|
|26N||308 915 776||208 827 064 576||43 608 742 899 428 874 059 776|
|36N||2 176 782 336||2 821 109 907 456||7 958 661 109 946 400 884 391 936|
|52N||19 770 609 664||53 459 728 531 456||2 857 942 574 656 970 690 381 479 936|
|62N||56 800 235 584||218 340 105 584 896||47 672 401 706 823 533 450 263 330 816|
The number of attempts can also be increased by using special characters. But all the same, the computer is capable of processing several million passwords per second. But to crack 16-digit passwords, which consist of letters of various layouts and special symbols, an attacker may need several months. But, firstly, often to get a result, it is enough for the computer to make less than half of the attempts, and secondly, the hacker can optimize this process.
Methods for optimizing a Brute Force attack
Experienced hackers use various methods of optimization. The most famous of them are:
- dictionary attack;
- rainbow tables;
- hybrid attacks;
- increase in computer power.
A dictionary attack involves not only searching for combinations of letters, but also using a dictionary with a list of familiar and popular passwords. It is common knowledge that users often use common words and phrases for passwords, which are easier to remember, than complex combinations. So usually users don’t generate passwords, they write one or two words and add a few numbers or symbols to the phrase to meet minimum password complexity requirements when registering on some server.
Most often, hackers crack such passwords as “Password123”, “mybirthday1707”, “Summer@2019”, “123456”, “password”, “qwerty” etc.Such passwords are easy to remember, but they are also very easy to crack.
Every experienced hacker has his own database of compromised passwords. It can also customize requests in the hacking program based on user information such as name, date of birth, favorite books or music. This can increase his chances of success.
Tip for users: to prevent hacking, do not use the same password for different accounts.
This method allows you to decrypt symmetric passwords using lookup tables (a way of organizing data on computers) if one of the passwords is known. You can also use this method to recover passwords created using a hash function — an algorithm that accepts an arbitrary amount of data and returns a string of the appropriate size.
Cryptanalysis is the process of studying ciphers in order to break them and gain access to encrypted messages. Cryptanalysts use various methods and techniques such as statistical analysis, repetition analysis, frequency charts, and computer algorithms to crack ciphers.
Cryptanalysis is an important component of cryptography and information security.
Hybrid attacks are a combination of two or more passwords cracking methods to increase the effectiveness of the attack. For example, this could be a combination of traffic interception, social engineering techniques, and the use of programs to crack passwords or cryptographic keys.
Hybrid attacks are usually more complex and effective than individual attack methods because they can take advantage of each method to bypass security protections. These attacks can be used to break various types of protection, including two-factor authentication. Therefore, it is important to use a comprehensive approach to defense to make hybrid attacks more difficult and less effective.
Increasing computer power
Hackers can increase computing power for brute force attacks using various methods. Here are some of them:
- Use of botnets. Attackers can use computer networks that have been infected with viruses to increase computing power by sending tasks to hacking botnets.
- Using the GPU. Для збільшення швидкості обчислень при зламуванні паролів можуть бути використані графічні процесори GPU. Multiple GPUs can be connected to a single computer or clustered to increase computing speed. For example, the ATI Radeon HD 4850 X2 video card is capable of generating up to 2.2 billion hashes per second!
- Use of specialized servers. Dedicated servers have powerful hardware and appropriate software. So if hackers have access to such equipment, it can be used to carry out attacks.
- Use of cloud services. Cloud services usually have many computers, so they can also be used to increase computing power.
Increasing computer power can significantly speed up the process of cracking passwords, so it is important to use complex and long passwords and other protection methods to complicate such attacks.
Technical tools of hackers
Hackers use various programs to pick passwords. Most famous of them:
- John the Ripper is a free program that was created to help users recover lost passwords. But hackers are also very fond of this tool. The program is able to sort passwords both alphabetically and by dictionary — for this, it has the appropriate settings. The program runs on Unix OS. Can recover passwords by hashes — that is, by cryptographic signatures.
- Aircrack-ng — another free tool for hash and dictionary attacks. Has tools for decrypting passwords on Wi-Fi networks protected by WPA and WEP. It is considered one of the best. Works on Windows, UNIX, Linux and Mac OS X.
- Rainbow Crack — a tool that efficiently uses rainbow tables for attacks and reduces time spent testing different combinations with dictionary attacks. Works on Windows and Linux.
How to defend against brute force attacks
There are several methods to protect against brute force attacks. The choice of method depends on which accounts you are protecting – a business owner / developer account or a user account on a third-party service.
For all types of accounts, the following precautions will help:
- Create complex passwordsthat are 16 characters (or longer), in uppercase and lowercase, using numbers and special characters, and change them every month. Mnemonic phrases can be used for passwords, but they must be long and their context unknown to an attacker.
- Never use the same password for different services.
- Use programs – password managers, to avoid remembering complex combinations.
- Use two-factor authentication — more about authentication methods in our article “Two-factor authentication”.
Owners and developers can additionally use the following protection methods:
- Banning access by IP — if the alert system has detected hacking attempts from one IP, blocking the address will help prevent further hacking attempts for a while.
- Set a password policy with complexity rules — that is, prevent users from creating simple passwords when signing up.
- Using a captcha protects against bots, distinguishing the program from a person.
- Limitation of account login attempts — temporarily blocking users whose accounts are being hacked in order to prevent other hacking attempts and significantly reduce the possibility of passwords being guessed by software methods.
Use at least 128-bit or 256-bit password encryption – Security keys can help with this.
Security keys as the most reliable safeguards against burglary
Security keys are hardware devices used to protect sensitive information (passwords, biometrics) through encryption and decryption. Encryption in security keys can be symmetric or asymmetric.
In symmetric encryption, the same key is used to encrypt and decrypt data. This approach is quite simple and fast, but the key must be securely stored so that attackers cannot obtain it.
Asymmetric encryption uses a pair of keys — public and private. The public key can be shared, while the private key remains confidential. Data is encrypted using a public key, and decryption is performed using a private key. This approach is more reliable, since the private key remains only with the owner and cannot be obtained by outsiders.
Security keys are used in many industries, including protection against unauthorized access to computer systems: protection of electronic payments, online transactions, personal data, etc.
The most famous manufacturers of security keys
There are many manufacturers of security keys on the market. Here are some of the most famous and popular manufacturers:
- Yubico — a company that specializes in the production of hardware security keys YubiKey with asymmetric encryption. These keys are used for authentication, encryption, and signing of data.
- Gemalto — a company that produces hardware security keys and other products for protecting information. Gemalto’s products include SIM cards, secure USB drives and other solutions.
- RSA Security — a company specializing in cryptography and information protection. RSA Security makes software and hardware for data encryption, user authentication, and other purposes.
- Thales — a company that manufactures hardware security keys used to secure electronic transactions, store sensitive information, authenticate users, and more.
- Google — produces the Titan hardware security keys used for two-factor authentication. Titan Security Keys can be used to secure Google, Dropbox, Facebook, and other online accounts.
Benefits of YubiKey by Yubico
As you may have noticed, YubiKey hardware keys are in first place among the most popular security keys. These are devices that provide two-factor authentication or (on some services) allow you to log in without a password. Here are some of the YubiKey’s benefits:
- High level of security: YubiKey uses strong encryption algorithms including AES-256, RSA 4096 and ECC P-256. They are also used to protect sensitive information, such as passwords and encryption keys.
- Ease of use: The YubiKey is very simple to use. The key is connected to the USB port of a computer or mobile device and is confirmed with one click of a button.
- Cross-platform: YubiKey is supported by most operating systems, including Windows, macOS, Linux, Android, and iOS.
- High reliability: The YubiKey is made of high-quality materials and tested to meet safety standards. It has IP68 protection — waterproof and crush-resistant.
- Support for public key standards: YubiKey supports public key standards such as FIDO U2F and FIDO2, making it compatible with many services and applications.
- Password optimization: YubiKey can store encrypted passwords and be used as a password manager to automatically fill forms on web pages.
Overall, the YubiKey provides a high level of security and ease of use. This allows users to protect their sensitive information and accounts online with minimal effort.
If you are interested in the opportunity to purchase keys, or want to learn more about them, we invite you to the page of our online store, where you will find all the necessary information.
Cybersecurity is a constant race against the clock: hackers find vulnerable chains and try to gain...
Unauthorised access to personal information, financial accounts or trade secrets can cause a lot of damage. This can lead to large losses due to the loss of reputation and financial assets, violation of user privacy, etc. Therefore, every person, organisation, business or financial institution must take care of data protection.
What is a USB token and how to use itThe concept of a USB token Since protecting accounts with a...