Brute force attackers guess passwords, passphrases, and private keys in an attempt to eventually get the right answer and crack the security of a system, but how do they know when they have the right key? It depends on the system. Let's answer the question three times, one for three different common systems. Cipher Text With Authentication In this case, let's assume we have direct access to an encrypted hard drive (like that of a MacBook) that has been ciphered using . Because we have access to the raw encrypted data, we can't be locked out for too many failed attempts. 😈 AES-256-GCM Since we are free to guess as hard and as fast as we can, all we need to know is when to stop deciphering. This is easy if the encryption was done using an authentication tag as required by . When we get the correct password, the authentication tag will check out. GCM mode Web Application Brute forcing your way through the front door of a web application will prove difficult if not impossible.  The cryptosystem lives on a server you don't have control over.  Due to this, they can lock you out after a number of failed guesses. However, if the server doesn't have these kinds of protections in place, then it is easy to tell when you have the right password because you will likely be given an , and perhaps some form of login token. HTTP 200 response OK Public-Private Key Encryption Symmetric Cipher vs Asymmetric Public Key Encryption We can encrypt any message using the public key that we have, and we can decrypt using the private key if we can find it. Then, we can man-in-the-middle attack other users and decrypt their messages that were meant for the server. Ignoring the fact that it is practically impossible to brute force a 256-bit key, let's pretend that we have an infinite amount of resources and are able to eventually get the correct answer. How do we know when we have the right answer? Well, it depends a bit on the algorithm that was used to create the key pair. If we know the algorithm, then we can generate random private keys and check to see if the public key that we have is a valid match using the known algorithm. If this isn't feasible because we don't have all the algorithm information, then we are likely stuck with encrypting a random string of text with the public key, generating private keys, and trying to decrypt with each private key until the decryption is successfulness. Again, this would never work in practicality, the search space is 2^256 Brute-Force Attacks Explained in cryptography is when an attacker guesses many passwords in succession hoping to get one right. A brute-force attack eventually For example, the most naive form of brute force attack would be to try every permutation of characters from length 0 to length n. a, b, c ... aa, ab, ac, ... ba, bb, bc aaa, aab, aac, ... aba, abb, abc... bba, bbb, bbc... Assuming 26 lowercase letters, 26 uppercase letters, 10 digits, and 10 special characters, it would take 66^10 (~1560000000000000000) guesses just to try all the combinations of exactly length 10. Assuming a modest 200 guesses per second, it would take ~247,336,377 years to crack the password. So I'm Safe Right? Based on the math above, it certainly seems like 10 digit passwords are impervious to brute force attacks. While that may be true of the most naive attacks, there are other things to watch out for. Instead of the attacker guess every single combination, instead, they may try every word in the English dictionary, with every three-digit combination appended to the end. apple001, apple002, apple003... baby001, baby002, baby003... Assuming 50,000 words in the English dictionary, there are only 50,000,000 combinations!  Again, assuming 200 guesses per second, it would take ~2.9 to crack the password... that isn't very long. It is also trivial for the attacker to throw in special characters for corresponding letters. For example, " " days @pp1e001 By Lane Wagner – on Twitter @wagslane Thanks For Reading Lane on Twitter: @wagslane Lane on Dev.to: wagslane Subscribe to Qvault: https://qvault.io Previously published at https://qvault.io/2020/02/11/how-do-brute-force-attackers-know-they-found-the-key/

Twitter

2022 - HackerNoon Contributor of the Year - Algorithms

2022 - HackerNoon Contributor of the Year - Cryptography

2022 - HackerNoon Contributor of the Year - Github

2022 - HackerNoon Contributor of the Year - Job Hunting

2022 - HackerNoon Contributor of the Year - Mathematics

2022 - HackerNoon Contributor of the Year - Online Education

Coding Guru of 2022

Super Career Strategist of 2022

Learn to code on Boot.dev

Nominated for 2022 - HackerNoon Contributor of the Year - Algorithms

Nominated for 2022 - HackerNoon Contributor of the Year - Mathematics

Nominated for 2022 - HackerNoon Contributor of the Year - Cryptography

Nominated for Coding Guru of 2022

Nominated for 2022 - HackerNoon Contributor of the Year - Github

Nominated for 2022 - HackerNoon Contributor of the Year - Online Education

Nominated for 2022 - HackerNoon Contributor of the Year - Job Hunting

Nominated for Super Career Strategist of 2022

Too Long; Didn't Read

Discover Saakuru: Web3 Mass-Adoption with 0-FEES

How Hackers Can Brute-Force Passwords And Find A Correct Key?

How Hackers Can Brute-Force Passwords And Find A Correct Key?

Too Long; Didn't Read

People Mentioned

Companies Mentioned

Lane Wagner

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

How Hackers Can Brute-Force Passwords And Find A Correct Key?

Too Long; Didn't Read

People Mentioned

Companies Mentioned

Lane Wagner

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES