This chapter will cover brute-force attacks against the underlying technology of MFA solutions. Some of this material was covered in earlier chapters, but it's worth repeating and expanding on.

Introduction

Brute-force attacks are considered the most primitive type of cyberattack. They don't require a lot of intelligence. You just attack a target over and over again, slightly changing or incrementing one value each time, until you get success. If you don't have any defensive controls blocking all the tries, it's the one cyberattack method guaranteed to eventually win.

As covered in Chapter 1, “Logon Problems,” brute-force guessing at passwords is one way to guess at passwords. A brute-force password guesser, with zero knowledge of the allowed minimum length of a targeted password, would start with the letter a, let's say, and when that didn't work, try the letter b, and so on, until they had tried all the letters, numbers, and symbols in the possible character space and come up empty. Then the password brute-force guesser would try aa, then ab, and then ac, and so on, again moving through all the possible characters in the second position. Sequentially they add more characters in each position, trying every possible combination, one at a time, until they eventually found the correct combination of characters that make up the targeted password. Not surprising, brute-forcing passwords or anything cyber-related is relatively slow. Computer automated guessing ...