With the growing influence of your social media accounts on your personal reputation or on your business profile, the risk of having an unsafe social media profile is bigger than ever. It no longer needs an elaboration that how much damage it will make to your reputation if your Facebook password falls into wrong hand. For a business the cost will be a longer lasting affair that it can be anticipated at the time of the incident.

What is Brute Force?

Commonly   interpreted as password cracking tool, Brute force can be deadlier than your wildest imagination by both dimension and intelligence.  In layman words, Brute Force is a mechanism used to identify password of an online account (or  a correct combination of user id and password in case of a application  specific attack) by automatically generating possible passwords and attempting it on the target web application.

The success probability of a brute force system is largely dependent on its intelligence of generating passwords in most effective sequence so the correct password can be identified with least number of trials. In 2017, intelligence of a smart brute force system has reached much beyond what it would need for generating alphabetic and numeric characters. Trying all alphabetic and numeric combinations (starting from aaaaaa or aaaaa1111 ..) is the last option a modern brute force system will resort to before trying its in built intelligence which will force it to try user specific information before   dictionary words.

Difference in risk for individual users for an application targeted attack and an user targeted attack

An application wide attack occurs when a brute force system attempts to identify a correct combination of user id and password from a large base of facebook user, typically not less than a million in number. Such attacks usually attempts dictionary words (or combination of words) in conjunction with numbers and special characters. Such attacks usually do limited use of user specific information in their password generation logic because each user specific parameter would force the system to try a different combination for each user in its target base.

The primary aim of such attack is to get passwords of as many facebook users as possible without wasting much time for each individual account. So only the facebook accounts having only dictionary words and short numeric strings in their password get exposed to such attacks. Accounts with stronger passwords (usually combination of non dictionary strings, longer numeric strings and special characters) remain unscratched as those have not received the received the concentrated effort required.

Account focused brute force attack is much more dangerous as in that case the system is supplied with much more information about the target account. According to human cytology we are prone to set password within about twenty particular piece of information such as date of births of close family members, name of first school, favorite teachers name, friends name and dob,  pet name etc. In case of a account targeted brute force attack, the password generation mechanism of  the attacking program is supplied with much more information than it considered deemed necessary. Such information may include name and date of birth of all of your family members, close friends, name of all the institutions you have ever attended, name of all the organization you have worked for, your favorite teachers, celebrities, colors, sports, movies, music and the list can go on. Not to mention that such information are commonly available within one’s  Facebook profile itself. These information then get combined with six most commonly used special characters (in general) i.e.  (.), -, _ ,  #, $, % and & to guess the correct password.

How to keep your account safe?

Only  less than 1% of all passwords are more than ten characters long. That’s what makes brute force a commercially viable solution. A strong password is what can keep your Facebook account safe from hackers. A strong password may not necessarily mean a lengthy password. Lets be a little bit more intelligent than the hacker while setting up Facebook passwords. Here are 5 things you can do –

  1. Try to avoid dictionary words within your Facebook password. Even if you use dictionary word modify the spelling or add to dictionary words together without any separation.
  2. Use capitalization evenly rather than capitalizing the first letter of each words. manGosHark is much more difficult to be guessed than MangoShark.
  3. Do not use dates dates directly in mmdd or ddmm format. Something like 22manGosHark02 is far better than manGosHark2202.
  4. Use special characters in the middle of the password rather than using those at the last. 22manG$osH#ark is something makes it very difficult for any brute force system to guess.
  5. Use your own encryption. Shifting each letter one or two characters left or right makes it unpredictable while keeping it simple for you to remember. ‘MangoShark’ is very easily predicable password. However if we make it two keys right on a standard QWERTY keyboard it appears as ‘>d,j[Fkdy;’ – that is virtually invincible password.

Other than creating a strong password make it as a practice to change the password of your Facebook account in each 15 or 30 days. That gives an attacker only limited time. Once the password has been changed, theoretically the brute force system has to be reset.

Please note that there are techniques for stealing your password from your device itself which you use to login to your Facebook account. So it always do not has to be a brute force attack to loose your passwords to an unintended party. Being careful has been the best solution to avoid danger forever.