reverse brute-force attack
What is a reverse brute-force attack?
A reverse brute-force attack is a type of brute-force attack in which an attacker uses a common password against multiple usernames in an attempt to gain access to a network. The term can also be written as reverse brute force attack, without the hyphen.
How do reverse brute-force attacks work?
Reverse brute-force attacks begin with the attacker having the password as a known value, but not the username. The attacker then tests the password against multiple possible usernames or encrypted files until, eventually, the right combination is found.
Brute-force and reverse brute-force attacks are used to obtain access to a website, shut a site down, steal data or execute additional attacks.
How to prevent reverse brute-force attacks
One of the best ways to prevent reverse brute-force attacks is to keep passwords well protected. Organizations should have a solid password policy in place that requires, among other things, employees to use longer, more complex passwords.
Organizations should also enable two-factor authentication (2FA) or multifactor authentication (MFA). 2FA and MFA provide additional layers of security to the primary form of authentication. Apple devices, for example, require users to input their Apple ID and an additional six-digit code that is displayed on another trusted device.
Administrators should also denylist unknown, potentially malicious Internet Protocol (IP) addresses or allowlist acceptable IP addresses.
Reverse brute-force attack vs. brute-force attack
A brute-force attack is the opposite of a reverse brute-force attack. Instead of a malicious hacker testing a password against usernames, a brute-force attack begins with knowing the username and guessing the password. The password is typically guessed through trial and error.
Brute-force attacks use automated tools to guess username and password combinations until the correct input is found. The longer the password is, the more time it takes to find the correct input. Typically, a brute-force attack tests through all possible combinations of allowable characters.