A reverse brute-force attack is a type of brute-force attack in which an attacker uses a common password against multiple usernames in an attempt to gain access to a network. This term can also be written as reverse brute force attack, without the hyphen.
Reverse brute force attacks begin with the attacker having the password as a known value, but not the username. The attacker will then test the password against multiple possible usernames or encrypted files until, eventually, the right combination is found. Brute-force and reverse brute-force attacks are used to obtain access to a website, shut the site down, steal data or execute additional attacks.
How to prevent reverse brute-force attacks
Unfortunately, there are not many ways to defend against a reverse brute-force attack. Because reverse brute-force attacks start with access to a password, organizations should keep their passwords protected. An administrator, for example, could require users have longer, more complicated passwords and enable two-factor authentication. Two-factor authentication provides an additional layer of security to the primary form of authentication. This is seen with new Apple devices that require users to input their Apple ID along with an additional six-digit code that is displayed on another trusted device. Administrators can also blacklist unknown, potentially malicious Internet Protocol addresses (IPs) or whitelist any acceptable IP addresses.
Reverse brute-force attack vs. brute-force attack
A brute-force attack is the opposite of a reverse brute-force attack. Instead of a hacker starting with a password testing it against usernames, a brute-force attack begins with the hacker knowing the username and guessing the password. The password is typically guessed through means of trial and error.
Brute force attacks will use automated tools to guess combinations of usernames and passwords until the correct input is found. The longer the password is, the more time it will take to find the correct input. Typically, a brute force attack tests through all possible combinations of allowable characters.