What Is a Brute Force Attack?

A brute force attack is a cyberattack in which hackers guess passwords or passphrases to gain unauthorized access to a system. Brute force attacks, also known as brute force cracking and exhaustive searches, have accounted for about 5% of all confirmed data breach incidents. Hackers use brute force attacks due to their simple and reliable nature. One of the best ways to prevent brute force attacks is to create more complex passwords, making them harder for hackers to guess.

What Is the Definition of Brute Force Attack?

A brute force attack is a cryptographic hack relying on correctly guessing the combination of symbols within a password. The guesses for combinations of symbols are made at random and are less and less likely to work as password length increases. Brute force attacks are usually done by automated software and scripts because these attacks typically take a large amount of time to perform. These attacks are referred to as “brute force” because they don’t have a systematic approach to cracking a password, relying instead on guesswork. Brute force attacks are also called exhaustive searches because the technique exhausts all password options until the correct one is found.

Brute Force Attack Definition

There are physical limits on how the targeted passwords can crack during a brute force attack type of hacking. For example, 128-bit symmetric keys are considered secure against brute force attacks because the attack would encounter the Landauer limit. A 256-bit encryption key would take, on average, 2^256 guesses to guess correctly, which equates to trillions of years using current technology. Brute force methodologies have been used in cryptography since as early as the 1970s. And they continue to be widely used to this day.

What Type of an Attack Is a Brute Force Attack?

A brute force attack will guess passwords within a system until the hackers find the right one. This makes brute force a reliable and simple attack to pull off, leading to its global popularity.

What Is the History of Brute Force Attacks?

Brute force attacks have a history closely coinciding with the advent of the internet. But brute force techniques were already being used in cryptography in the late-20th century, and this age-old hacking method is still widely used today.

How Are Brute Force Attacks Used?

An image featuring username and password concept

Brute force attacks are used to obtain the following private information.

  • Passwords
  • Usernames
  • Personal Identification Numbers
  • Passphrases

These attacks use a script, tool or similar process to give the attacker this information. The attacker can then use the data for their own agenda, which could include any of the following actions.

  • Stealing personal information to have access to private accounts or resources.
  • Selling stolen credentials to third parties.
  • Imposing themselves as the victim to spread misinformation or phishing links.
  • To reap the ad benefits of a victim-owned website.
  • Damaging the reputation of a website or organization by spreading secrets or misinformation.
  • Redirecting a victim-owned site’s domain to the hacker’s own domain.
As for non-malicious uses, these attacks are also useful for testing network security and encryption strength within a network.

How to Make a Brute Force Attack?

Brute force attacks are generally made using tools made specifically for them.

What Are the Types of Brute Force Attacks?

A simple brute force attack attempts cracking passwords at random without relying on external logic, but there are a few more sophisticated ways of employing them.

Dictionary Attack

An image featuring a book that says dictionary attack on it

A dictionary attack is a kind of brute force attack where the attacker utilizes a dictionary of possible passwords. Generally, a dictionary attack will start with assumptions about common passwords and use this information to get a better guess.

To prevent dictionary attacks, use a long password containing a variety of different symbols without any meaning. The goal is to make the password as random as possible, thus lowering the hacker’s chances of guessing the correct combination of letters, numbers and symbols.

Credential Stuffing

An image featuring credential stuffing concept

Credential stuffing is an attack that uses already stolen login combinations to access other sites. This method works because people tend to use the same usernames and passwords across different sites and online services.

To prevent credential stuffing attacks, use a different username and password combination for every site.

Hybrid Brute Force Attack

An image featuring a brute force attack concept

A hybrid brute force attack combines a dictionary brute force attack with a basic brute force attack. In a reverse brute force attack, the hacker will use a dictionary to try different words and basic brute force attack methodologies to guess the symbols afterwards (usually one to four numbers.)

To prevent hybrid brute force attacks, use a long password that contains a variety of different symbols without any meaning.

Password Spraying

Password spraying is a kind of brute force attack that tries to apply common passwords to various accounts. By doing this, these attacks avoid most lockout policies. Usually, password spraying is used against sites with SSO or apps that use federated authentication.

Pro Tip:

To avoid password spraying, use multi-factor authentication.

Reverse Brute Force Attack

A reverse brute force attack is one where instead of starting with a username and looking for a password, the attacker has a password and is looking to brute-force the username.

Using more complex usernames is an effective way to get around reverse brute force attacks.

What Are the Examples of Brute Force Attacks?

An image featuring a brute force attack concept
  • Brute force attacks caused up to 21 million Alibaba accounts to get compromised in 2016, accounting for one-fifth of the site’s user base. The attack was a mixture of hybrid brute force and password spraying methods.
  • In 2018, Magento suffered from a brute force attack leading to about 1,000 admin panels being compromised.
  • The Westminster Parliament saw 90 emails cracked using brute force strategies.
  • In 2018, Firefox had an issue with its master password feature being easily brute-forcible.
  • In 2018, multiple members of the Irish Parliament were subject to a brute force attack.

What Are the Statistics about Brute Force Attacks?

An image featuring a brute force attack concept
  • 5% of all data breaches in 2017 were caused by brute force attacks.
  • 80% of all web application attacks are brute force in nature.
  • 25% of all network attacks are brute force attacks.
  • The top 10 most common passwords in the world are easily beaten by brute force attacks.
  • 13% of all production websites are vulnerable to brute force attacks.
  • Some brute force attacks involve checking up to 1 billion passwords per second.
  • More than 10 million people are affected by brute force attacks each year.
62% of all breaches not caused by errors or misuse were caused by brute force attacks or phishing.

What Can Attackers Gain via Brute Force Attacks?

An image featuring a brute force attack concept
  • Access to an individual’s personal data
  • Access to a system to deface an organization or launch other malicious activities on the target system
  • The ability to edit a website for monetary gain
  • The ability to spread malware within an organization
  • The ability to reap the benefits from a website’s ad- or activity-based revenue

Is a Brute Force Attack Illegal?

In most cases, brute force attacks are used with the intention of stealing the credentials of a given user. This is an act of theft and is therefore illegal.

The only situation where a brute force attack is legal is for security testing purposes, accompanied by a consent form signed by the owner.

What Are the Laws Regarding Brute Force Attacks?

Although no laws currently enacted pertain specifically to brute force attacks, these attacks are likely to violate other laws instituted within a given country, such as the examples below.

An image featuring laws concept
  • Personal Information Protection and Electronic Documents Act (PIPEDA) legislation and related regulations in Canada
  • Decreto-Lei No 2.848, de 7 de Dezembro de 1940 in Brazil
  • Lei Nº 12.965, de 23 de Abril de 2014 in Brazil
  • Computer Fraud and Abuse Act (18 U.S. Code 1030) in the United States
  • Canada Evidence Act (R.S.C., 1985, c. C-5) in Canada
  • Decreto Legislativo, marzo 2005, Codice dell’amministrazione digitale – aggiornato al decreto legislativo, Dicembre 2017, in Italy


Many other laws apply in countries around the world. Oftentimes, brute force attacks will also violate laws not directly pertaining to cybercrime but rather anti-identity theft, fraud or similar legislation.

How to Protect Yourself from Brute Force Attacks?

An image featuring preventing brute force attack concept
  • Limiting failed login attempts drastically increases the time it takes for a brute force attack to succeed.
  • Implement an internal timer between each attempt; even half a second can render brute force attacks ineffective.
  • Use multi-factor authentication so that a simple username/password combination is no longer enough to gain entry.
  • Make policies rejecting simple passwords that are short, include too few symbols, or aren’t a mix of upper and lower case letters.
  • Set up requirements to change passwords regularly.
  • Use a blacklist to stop known attackers from accessing the system.
  • Require CAPCHA after an unsuccessful attempt.
  • Salt the password hashes by automatically adding random strings of letters and numbers at the end of each password. This way, users with the same password will have a different hash.
  • Encrypt passwords with 256-bit encryption.
  • Make the user root inaccessible via SSH.

How Can Users Strengthen Their Passwords Against Brute Force Attacks?

An image featuring having a strong password concept
  • Use longer passwords.
  • Use passwords that don’t contain words.
  • Use a mixture of numbers, letters, and symbols.
  • Use different passwords for every website.
  • Use a password manager to help keep all passwords separate.
  • Use usernames with a few different symbols and numbers.

What Should You Do If You Become a Victim of a Brute Force Attack?

  • File a criminal complaint immediately with as many details as possible. Note the time that the attack occurred, and try to capture any available data about your system at the time.
  • Fill out a report, such as a Honeypot Brute Events Report, to help the authorities deal with the attacker.
  • Submit the IP address to a database like BlockList.de.

What Are the Softwares to Perform Brute-Force Attacks?

There are a variety of software programs out there that can perform brute-force attacks. Some are made to be used maliciously, while others are made primarily with penetration testing in mind.

An image featuring brute force attack software concept
  • Gobuster: A tool capable of creating swift brute force attacks that is also lightweight and excels at performing multiple tasks at once
  • Aircrack-ng: A popular WiFi password-cracking tool that uses a dictionary attack methodology
  • John the Ripper: One of the most popular tools of its kind, this free password-cracking program supports a wide variety of attacks and is available on 15 different platforms
  • DaveGrohl: A macOS tool enabling attackers to launch dictionary attacks from multiple devices using the same password hash
  • THC Hydra: A tool that performs dictionary attacks against over 30 protocols to crack network authentication passwords
  • BruteX: An all-in-one cracking tool that supports a variety of brute force attack methods
  • Callow: A great brute force attack tool for beginners written in Python
  • SSB: Secure Shell Bruteforcer is one of the fastest tools at brute-forcing SSH servers

What Are the Other Threats?

There are a lot of cyber threats out there, with brute force attacks being one of many.

An image featuring cyber threats concept
  • Doxing: When an online user’s private identity or other details like an address or phone number are exposed to the public without the user’s consent
  • DDoS: Distributed-Denial-of-Service attacks are done by flooding a network with too many requests so that it crashes
  • MitM: Man-in-the-Middle attacks are when an attacker inserts themselves between two transmission points to steal or tamper with the data
  • Malware: Malware are programs that commit malicious activities once installed on a target’s device, system or network
  • APT: Advanced Persistent Threats are groups of attackers that launch large-scale attacks on a nation or organization to exfiltrate data or commit other malicious actions
  • Cryptojacking: An attack where the attacker hijacks a device to mine cryptocurrency
  • Phishing attacks: Social engineering attacks where users are prompted to share private or company details to a third party

Why Are Brute Force Attacks Dangerous?

An image featuring private information concept

Brute force attacks are dangerous because they’re a simple yet effective way to obtain private information if a user or network isn’t protected. These attacks come in a variety of forms and require businesses to take multiple precautions to be safe.

Successful brute force attacks can lead to massive losses in revenue. Downtime is a natural consequence of a successful brute force attack. Businesses can also lose a lot of data from a successful brute force attack. The malicious party might steal the business’ data or even their website as a whole for an amount of time.


The loss of data and downtime combined cause users to distrust the business more. This means that the impact of a successful brute force attack can leave a lasting scar on a business’ reputation for years.

What Is a Reverse Brute Force Attack?

A reverse brute force attack is one where instead of starting with a username and looking for a password, the attacker has a password and is looking to brute-force the username.

These attacks are generally used when there has been a password leak and the attacker is attempting to match the passwords to the usernames.

What Are the Weaknesses of Brute Force?

An image featuring a brute force attack concept

Brute force attacks are one of the simplest forms of cyberattacks but also one of the weakest. Regardless of how sophisticated, a brute force attack is unlikely to work if a company follows cybersecurity protocols with its users.

Traditional brute force attacks are weakest to encryption. 256-bit encryption would take a traditional brute algorithm 2^256 guesses to get right, which would take trillions of years.

Brute force attacks are also very slow against even moderately secured networks. Sometimes they take months or even years to finally guess the right password.

Since brute force attacks are well-known as one of the most popular attack vectors, most companies are well-equipped to handle them. Rate-limiting is built into most popular platforms today, which makes brute force attacks a more time-consuming effort.

Ilija Miljkovac Ilija is a tech & cybersecurity writer residing in Leeds, UK. His passion for everything tech started when he was a child and culminated in a computer science degree and 5 years of writing in the field.
Leave a Comment