Bruteforce Attacks: Using Non-English Characters

TL;DR

Yes, bruteforce programs *can* and *do* use characters from other languages (Arabic, Greek, Cyrillic, etc.). This significantly expands the possible password combinations. Here’s how attackers do it, and what you can do to protect yourself.

Understanding the Problem

Traditional bruteforce attacks focus on English letters, numbers, and common symbols. However, many systems allow a wider range of characters in passwords. Attackers exploit this by including character sets from other languages to increase their chances of success. A password like ‘password’ is much easier to crack than ‘пароль’ (Russian for ‘password’) if the system only checks for English characters.

How Brute-Force Attacks Use Other Languages

1. Wordlists: Attackers create or use pre-made wordlists containing words and phrases in various languages. These lists are then fed into bruteforce tools.
2. Character Sets: Tools allow specifying custom character sets, including Unicode characters from different alphabets.
3. Keyboard Layouts: Attackers might target users who type passwords using non-English keyboard layouts (e.g., QWERTY vs. AZERTY). They’ll generate combinations based on these layouts.
4. Character Substitution: Some tools automatically substitute common English characters with visually similar characters from other languages (e.g., replacing ‘a’ with ‘а’).

Tools Used by Attackers

Several popular bruteforce tools support non-English character sets:

• Hashcat: A very powerful tool that supports a wide range of hash types and custom character sets.
• John the Ripper: Another widely used tool with similar capabilities.
• Hydra: Primarily for network login bruteforcing, but can also be adapted to password cracking.

For example, in Hashcat you can specify a character set using the `-c` option:

hashcat -m   ?a?b?c?d... wordlist.txt

Where ‘a’, ‘b’, ‘c’ etc. represent different character sets (e.g., lowercase letters, uppercase letters, numbers, special characters, Arabic characters).

Protecting Yourself: Practical Steps

1. Enforce Strong Password Policies: This is the most important step.
   • Minimum Length: Require passwords of at least 12-16 characters.
   • Complexity: Mandate a mix of uppercase and lowercase letters, numbers, and symbols.
   • Character Set Restrictions: *Limit* the allowed character sets to English letters, numbers, and a small set of common symbols. Avoid allowing Unicode or extended character sets unless absolutely necessary.
   • Regular Password Changes: Encourage (or require) users to change passwords regularly.
2. Account Lockout Policies: Implement account lockout after a certain number of failed login attempts.
   • This prevents attackers from trying endless combinations.
3. Multi-Factor Authentication (MFA): Add an extra layer of security beyond just a password. Even if a password is cracked, MFA makes it much harder for attackers to gain access.
4. Password Complexity Meters: Use tools that assess the strength of passwords and provide feedback to users.
5. Monitor Login Attempts: Regularly review login logs for suspicious activity (e.g., multiple failed attempts from the same IP address).
6. Web Application Firewalls (WAFs): WAFs can help detect and block bruteforce attacks targeting web applications.
7. Consider Password Managers: Encourage users to use password managers to generate and store strong, unique passwords.

Checking Character Set Support

If you’re unsure what character sets your system allows, you can test it during account creation or password reset.

1. Try creating an account with a password containing characters from another language. If the system accepts it, you know it supports that character set.
2. Check the documentation for your database or authentication system. It should specify which character sets are supported.