Brute Force Attack

Why Trust Techopedia

What Are Brute Force Attacks?

The brute force attack definition is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). 


To illustrate, here’s what a brute force attack explained in a realistic scenario is.

If you’ve forgotten the three-digit combination for the lock on your suitcase, you can, if you have the patience, systematically try every combination of numbers starting at 000 and methodically work your way through to 999. One of those combinations must be the correct one.

A brute force attack against a network or computer is similar to this, except instead of trying combinations of digits, combinations of letters and numbers are used. A variation on this, and a technique that is more commonly seen in practice, is to use a very long list of actual passwords and to try them one at a time. 

With the suitcase, it is obvious that one combination of three digits will work, with the brute force attack there is no guarantee that one of the passwords in the list will work, nor that the password will be stumbled upon by chance.

However, the longer the list of passwords, the more likely one of them will match the account’s password under attack. But there is a payoff. The longer the list the more time it takes to work through it. And password lists can be very long indeed. 

Techopedia Explains

Every time there is a data breach, the leaked passwords become available to the threat actors and they are added to the brute force password lists. Lists of leaked passwords and standard dictionary words are also used. This covers more combinations – and gives the attackers more chance of success – but adds to the time taken to work through the list.

The likelihood of a brute force attack being successful is predicated on three factors.

  • Whether your password is unique
  • Whether your password has been involved in a data breach
  • Whether you use a password or a pass-phrase

The details of over 10 billion compromised accounts are held on the Have I Been Pwned website. You can get a good idea of whether your password is unique or not by checking Have I been Pwned. You’ll probably find it in the database. With so many leaked accounts, it’s inevitable that there will be duplicates. 

Of course, if your password is in the Have I Been Pwned databases, it doesn’t mean one of your accounts was compromised. It might mean that, but it can also mean someone else’s account was compromised, and they happened to use the same password as yourself.

The important point to note is that if your password is found on the Have I Been Pwned website, regardless of where it came from, it will also be in the password lists used for brute force attacks. It doesn’t matter how obscure or robust your password is, if it’s in the password lists it’s untrustworthy. 

Brute force attacks can be thought of as threat actors having copies of thousands and thousands of keys. They try them one at a time at your door. If one happens to match your door, they can gain access. Where the copy of the key came from is irrelevant.

You should never use a password in more than one place. If that single password is compromised, all your accounts are exposed to risk. If you have too many passwords to remember, use a password manager. A good template for a secure password is three unrelated words joined with punctuation, forming a passphrase.

How Brute Force Attacks Work

How Brute-Force Attacks Work

Brute force attacks are not an end in themselves. They are a stepping-stone in the threat actors’ larger plan. Many systems restrict the number of failed log-in attempts making brute-forcing those systems more challenging. But the main targets for these types of attacks are not corporate networks – at least, not directly.

Remote user access technologies such as remote desktop protocol (RDP) or secure shell (SSH) should be configured with enforced timeouts after a given number of failed access attempts, or the account should be locked and a password reset enforced. Instead, brute force attacks target corporate portals, websites, hosted applications, and encryption keys or API keys to gain information from them that they can use to mount a secondary attack on the corporate network.

Gaining access to a corporate website allows the threat actor to access any files that are not encrypted. Mistakes during the design and implementation of the website can be exploited


For example, if the passwords are stored in plain text the threat actors now have all of the IDs and passwords for that system, not just for the compromised account. Usually, that means they also have the administrator’s credentials. If the administration credentials are the same as the corporate network’s administrator credentials, the threat actors have successfully compromised the main network by attacking the less-well guarded website or hosted application.

Even if they don’t immediately gain any additional exploitable information, the threat actors can modify web pages and inject malicious functionality so that subsequent logins are recorded and the account credentials captured. They then revisit the website using the compromised account and retrieve the list of recently used IDs and passwords. Eventually, they will obtain the administrator’s credentials.

Trying to crack an Application Programming Interface (API) key is a different but similar type of attack. The threat actors aren’t trying to discover a password to a user account, they are trying to discover a key to access an API. If the treat actors can access the API, they will attempt to extract information through an abuse of the API’s functionality.

Semi-Intelligent Brute Force Attacks

Brute force packages are easy to locate and download, making them available for any cybercriminal who wants to use them. There are packages with specialisms, such as those that attack Wi-Fi networks or network devices such as firewalls, routers, and other managed appliances.

Pure password look-up brute force packages read through the password lists and methodically use the passwords one after the other, and do no more than that.

The more sophisticated brute force packages use each password from the password list as-is, then apply common transformations to the passwords, and try those too. They can work through permutations of the base password, substituting numbers for vowels following the common convention of using 1 for ‘i’, 3 for ‘e’, 4 for ‘a’, and so on. They also translate passwords into leetspeak, where Techopedia becomes “73ch0p3d14”.

Some brute force packages will also work through permutations of digits that some users like to add to the end of passwords to represent the current year, the year they were born, or other significant dates.

As you’ll appreciate, performing these transformations takes longer the more characters there are in the password that is being tried. Sophisticated brute force software will make use of the graphics processing unit (GPU) of the attack computer to speed up the calculations that are required to work through the permutations.

Different Types of Brute Force Attacks

6 Types of Brute-Force Attacks

Brute force attacks can be categorized according to the different techniques they employ.

  • Traditional Brute Force Attack: An automated software package generates combinations of letters, numbers, and other characters and tries to stumble upon the combination that matches the password for the account under attack.
  • Password Look-Up Attack: Automated software reads a password at a time from a huge list of passwords collected from data breaches. Each password is tried against the account under attack.
  • Intelligent Password Look-Up Attack: Automated software reads a password at a time from a huge list of passwords collected from data breaches. Each password is tried against the account under attack, along with transformations of that password. The transformations emulate commonly used password tricks such as substituting vowels for digits.
  • Dictionary Attack: Like a Password look-up attack, but instead of a list of breached passwords a list of standard dictionary words is used. Transformations can be applied to the dictionary words also.
  • API Attack: An automated software package generates combinations of letters, numbers, and other characters and tries to stumble upon a combination that matches a user’s key for an Application Programming Interface.
  • Rainbow Table Attack: The threat actors extract the hashed password list from the compromised computer, and then look for matching hashes in their own very long list of hashed passwords. If any hashes match, they know what plain text password to use for that account.

Motives Behind Brute Force Attacks

Despite their simplicity, brute force attacks are driven by various motives, each reflecting the attacker’s intent and the value of the targeted data.

Gaining Unauthorized Access

The most common motive is to gain unauthorized access to personal or corporate accounts. Attackers often target email accounts, online banking, or social media profiles. 

By cracking the password, they gain the same access as the legitimate user, allowing them to steal sensitive information, commit fraud, or even impersonate the user for malicious activities.

Decrypting Encrypted Data

Another key motive is decrypting encrypted data. In cases where data is secured through encryption, the only way to access this information without the original key is to guess it – a perfect scenario for a brute force attack. 

This method is particularly concerning for businesses and governments that regularly encrypt sensitive data.

Brute Force Attack Tools

Brute force attack tools and software are designed to automate the guessing process and increase the attack’s efficiency. Here are some of the most common tools.

Tool Name Description Typical Use
John the Ripper A password cracker that automatically detects password hash types and employs dictionary and brute force attacks. Cracking password hashes, testing password strength.
Hydra Focuses on attacking online applications by rapidly generating and testing passwords against various protocols and services. Attacking web applications, network services, and remote authentication.
Aircrack-ng A tool for cracking Wi-Fi network passwords using weaknesses in the WEP/WPA/WPA2 security protocols. Cracking Wi-Fi network passwords.
Hashcat An advanced password recovery tool, known for its speed and ability to crack many hash types using GPUs. Password recovery for a variety of hash types.
RainbowCrack Uses a time-memory trade-off algorithm to crack hashes. It pre-computes tables of hash chains to significantly speed up the cracking process. Efficient hash cracking by reducing computation time.

How to Protect Against Brute Force Attacks

While no single defense is foolproof against a brute force attack, organizations can put in place measures that increase the time it will take for brute force attacks to succeed, or require additional actions from the user. This improves overall brute force attack prevention.

  • Enable multi-factor authentication where possible. This adds something the user has—such as a cell phone or a USB key or fob – to the password. Both authentication methods must be present, meaning the password on its own is insufficient.
  • Use robust passwords and passphrases that are unique, and stored in an encrypted form.
  • Implement a password policy that instructs and guides staff members in password robustness, complexity, and uniqueness, and re-use.
  • Limit log-in attempts to a small number of failed attempts in a given timeframe. Lock the account when the threshold has been reached, or force a password reset.
  • Enable captchas or other image-based systems designed to prove the access attempt is being made by a human and not a bot.
  • Consider using a password manager. A password manager will automatically generate complex passwords and make it easy to have a different password for every system.

Strengths and Weaknesses of Brute Force Attacks

Brute force attacks, with their straightforward approach of trying every possible combination until the correct one is found, have distinct strengths and weaknesses. Understanding these can help in better preparing for and defending against these attacks.

Strengths Weaknesses
  • Effectiveness Against Weak Passwords: Brute force attacks are highly effective against weak or commonly used passwords. Since many users opt for default or easy-to-remember passwords, these attacks can often quickly find the correct combination.
  • Simplicity: The simplicity of brute force attacks is also a strength. They don’t require a sophisticated understanding of the underlying system or exploit vulnerabilities other than the password’s strength.
  • Versatility: These attacks can be applied to any system that uses password-based authentication, making them a universally applicable method for attackers.
  • Time-Consuming: The biggest limitation of brute force attacks is the time required to find the correct password. As password complexity increases (with longer lengths and the use of various character types), the time needed to crack the password grows exponentially.
  • Easily Detected: Many modern security systems can detect and block brute force attacks by identifying rapid, repeated login attempts. This makes brute force attacks less feasible against systems with such protective measures in place.
  • Computational Resources: Executing a brute force attack, especially on complex passwords, requires significant computational power. This can be a substantial barrier, particularly for more secure systems with strong, complex passwords.
  • Improved Security Measures: The widespread use of CAPTCHAs, account lockout policies, and two-factor authentication has made brute force attacks less successful. These security measures add layers of protection that a brute force attack cannot easily bypass.

COVID-19 Prompted an Increase in Brute Force Attacks

With the rush to implement remote access systems to allow employees to work from home during the COVID-19 pandemic, security has often taken a back seat. The threat actors realized this of course, and there has been an increase in the number of brute force attacks since the pandemic began.

Threat actors are nimble, and can almost instantly exploit any new situation or major news story by re-deploying their existing threats. Brute-forcing was back in fashion.

This is a primary example of why you must remain diligent about security at all times–especially in times of crisis.

The Bottom Line

Brute force attacks highlight a critical vulnerability in digital security: weak passwords. Protecting against these attacks requires strong, complex passwords and the implementation of advanced security measures like 2FA. As attackers continually refine their methods, staying informed and adopting robust security practices is necessary.

The ongoing battle against brute force attacks demonstrates the need for a proactive cybersecurity approach. By understanding these attacks’ strengths and weaknesses, individuals and organizations can effectively fortify their defenses, keeping their digital assets secure against this persistent threat.


What is a real-life example of a brute force attack?

Is it illegal to do a brute force attack?

How long can a brute force attack last?

How likely is a brute force attack?


Related Questions

Related Terms

Marshall Gunnell
IT & Cybersecurity Expert
Marshall Gunnell
IT & Cybersecurity Expert

Marshall, a Mississippi native, is a dedicated expert in IT and cybersecurity with over a decade of experience. Along Techopedia, his bylines can be found on Business Insider, PCWorld, VGKAMI, How-To Geek, and Zapier. His articles have reached a massive readership of over 100 million people. Marshall previously served as the Chief Marketing Officer (CMO) and technical staff writer at StorageReview, providing comprehensive news coverage and detailed product reviews on storage arrays, hard drives, SSDs, and more. He also developed sales strategies based on regional and global market research to identify and create new project initiatives.  Currently, Marshall resides in…