Password Brute Force on Public Networks

TL;DR

Yes, passwords can be brute-forced on a public network, especially weak ones. However, it’s not as easy as in movies. Modern systems have protections, but they aren’t foolproof. Using strong, unique passwords and multi-factor authentication are essential to stay safe.

Understanding the Risk

Public networks (like those in cafes or airports) are often unsecured or use weak security. This means someone on the same network could potentially intercept your login details if they aren’t encrypted properly, or attempt to guess your password directly.

How Brute-Force Attacks Work

A brute-force attack tries every possible combination of characters until it finds the correct password. The speed depends on:

• Password Length: Longer passwords take exponentially longer to crack.
• Password Complexity: Passwords with a mix of uppercase, lowercase letters, numbers and symbols are harder to guess.
• System Protections: Many systems limit login attempts or lock accounts after too many failures.

Steps to Protect Yourself

1. Use Strong Passwords: This is the most important step.
   • Minimum 12 characters, preferably more.
   • Mix uppercase and lowercase letters, numbers, and symbols.
   • Avoid dictionary words, personal information (birthdays, names), or common phrases.
   • Use a password manager to generate and store strong passwords.
2. Enable Multi-Factor Authentication (MFA): This adds an extra layer of security.
   • Even if someone guesses your password, they’ll also need a code from your phone or another device.
   • Most major online services offer MFA – enable it wherever possible!
3. Use a Virtual Private Network (VPN): A VPN encrypts all your internet traffic.
   • This prevents others on the public network from intercepting your login details.
   • There are many free and paid VPN services available.
4. Be Careful What You Connect To: Avoid connecting to suspicious Wi-Fi networks.
   • Check the network name carefully – attackers often create fake networks that look legitimate.
   • If possible, use a network you trust (e.g., your home or work network).
5. Keep Your Software Updated: Updates often include security patches.
   • This protects against known vulnerabilities that attackers could exploit.
   • Enable automatic updates whenever possible.
6. Check for HTTPS: Ensure websites use HTTPS (look for the padlock icon in your browser).
   • HTTPS encrypts communication between your computer and the website, protecting your login details.

Checking Password Strength

You can use online tools to check the strength of your passwords (but don’t enter real passwords!). Some examples include:

• HowSecureMyPasswordIs.net: Estimates how long it would take to crack a password.

Linux Specific Considerations

1. SSH Configuration: If using SSH, disable password authentication and use key-based authentication instead.

   sudo nano /etc/ssh/sshd_config

   Set PasswordAuthentication no and restart the ssh service.

2. Fail2Ban: Install Fail2Ban to automatically block IP addresses that make too many failed login attempts.

   sudo apt install fail2ban # Debian/Ubuntu

   sudo yum install fail2ban # CentOS/RHEL

Windows Specific Considerations

1. Account Lockout Policy: Configure Windows to lock accounts after a certain number of failed login attempts.

   Use the Local Security Policy editor (secpol.msc) to adjust these settings.

2. Strong Password Policies: Enforce strong password requirements for all user accounts.

   Also configurable via secpol.msc