What Is A Brute Force Attack?
Learn about the types of brute force attacks and tips on how to prevent them.
A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information.
The name "brute force" comes from attackers using excessively forceful attempts to gain access to user accounts. Despite being an old cyberattack method, brute force attacks are tried and tested and remain a popular tactic with hackers.
A simple brute force attack occurs when a hacker attempts to guess a user’s login credentials manually without using any software. This is typically through standard password combinations or personal identification number (PIN) codes.
These attacks are simple because many people still use weak passwords, such as "password123" or "1234," or practice poor password etiquette, such as using the same password for multiple websites. Passwords can also be guessed by hackers that do minimal reconnaissance work to crack an individual's potential password, such as the name of their favorite sports team.
A dictionary attack is a basic form of brute force hacking in which the attacker selects a target, then tests possible passwords against that individual’s username. The attack method itself is not technically considered a brute force attack, but it can play an important role in a bad actor’s password-cracking process.
The name "dictionary attack" comes from hackers running through dictionaries and amending words with special characters and numbers. This type of attack is typically time-consuming and has a low chance of success compared to newer, more effective attack methods.
A hybrid brute force attack is when a hacker combines a dictionary attack method with a simple brute force attack. It begins with the hacker knowing a username, then carrying out a dictionary attack and simple brute force methods to discover an account login combination.
The attacker starts with a list of potential words, then experiments with character, letter, and number combinations to find the correct password. This approach allows hackers to discover passwords that combine common or popular words with numbers, years, or random characters, such as "SanDiego123" or "Rover2020."
A reverse brute force attack sees an attacker begin the process with a known password, which is typically discovered through a network breach. They use that password to search for a matching login credential using lists of millions of usernames. Attackers may also use a commonly used weak password, such as "Password123," to search through a database of usernames for a match.
Credential stuffing preys on users’ weak password etiquettes. Attackers collect username and password combinations they have stolen, which they then test on other websites to see if they can gain access to additional user accounts. This approach is successful if people use the same username and password combination or reuse passwords for various accounts and social media profiles.
Brute force hacking requires plenty of patience because it may take months or even years for an attacker to successfully crack a password or encryption key. However, the potential rewards are huge.
A hacker may launch a brute force attack on a website or multiple websites to earn financial profit from advertising commission. Common methods include:
Hacking into a user’s personal accounts can provide a treasure trove of data, from financial details and bank accounts to confidential medical information. Access to an account enables an attacker to spoof a person’s identity, steal their money, sell their credentials to third parties, or use the information to launch wider attacks.
Personal data and login credentials can also be stolen through corporate data breaches that see attackers gain access to organizations’ sensitive databases.
Brute force attacks are often not personal. A hacker may simply want to create havoc and showcase their malicious skills. They may do this by spreading malware via email or Short Message Service (SMS) messages, concealing malware within a spoofed website designed to look like a legitimate site, or redirecting website visitors to malicious sites.
By infecting a user’s computer with malware, the attacker can then work their way into connected systems and networks and launch wider cyberattacks against organizations.
Brute force attacks can play a role in malicious actors launching broader attacks using multiple devices, called a botnet. This is typically a distributed denial-of-service (DDoS) attack that aims to overpower the target’s security defenses and systems.
Brute force attacks are often launched in an attempt to steal data from an organization, which not only costs them financially but also causes huge reputational damage. Websites can also be targeted with attacks that infest them with obscene or offensive text and images, thereby denigrating their reputation, which could lead to them being taken down.
Guessing a user’s email or social media website password can be a time-consuming process, especially if the accounts have strong passwords. To simplify the process, hackers have developed software and tools to help them crack passwords.
Brute force attack tools include password-cracking applications, which crack username and password combinations that would be extremely difficult for a person to crack on their own. Commonly used brute force attack tools include:
These types of software can rapidly guess combinations that identify weak passwords and crack multiple computer protocols, wireless modems, and encrypted storage devices.
A brute force attack can also demand huge amounts of computing power. To combat that, hackers have developed hardware solutions that simplify the process, such as combining a device’s central processing unit (CPU) and graphics processing unit (GPU). Adding the computing core of the GPU enables a system to process several tasks simultaneously and the hackers to crack passwords significantly faster.
Individuals and organizations can employ several tactics to protect themselves against known vulnerabilities like Remote Desktop Protocol (RDP). Cryptanalysis, the study of ciphers and cryptography, can also help organizations strengthen their security defenses and safeguard their confidential information from brute force attacks.
The best way to defend against brute force attacks that target passwords is to make passwords as tough as possible to crack. End-users have a key role to play in protecting their and their organization's data by using stronger passwords and following strict password best practices. This will make it more difficult and time-consuming for attackers to guess their passwords, which could lead to them giving up.
Stronger password best practices include:
There is little point in users following strong password best practices if their organization is not capable of protecting their data from brute force attacks. The onus is also on the organization to safeguard its users and bolster network security through tactics such as:
In addition to user awareness and solid IT security, businesses must ensure that systems and software are always kept up to date and provide ongoing support to employees.
Encryption is a cybersecurity tactic that scrambles data so it appears as a string of random characters. The correct encryption key will unscramble the data.
A 128-bit encryption key would require two to the power of 128 combinations to crack, which is impossible for most powerful computers. Most websites and web browsers use it. 256-bit encryption makes data protection even stronger, to the point that even a powerful computer that can check trillions of combinations every second would never crack it. This makes 256-bit encryption completely immune to brute force attacks.
In the vast majority of cases, a brute force attack is illegal. It is only legal when an organization runs a penetration test against an application and has the owner’s written consent to do so.
Brute force attacks are a fairly common method used by cyber criminals. They accounted for 5% of all data breaches in 2017, according to Verizon research.
The longer and more complex a password is, the more difficult it is to crack. An eight-character password is widely considered to be crackable in a few hours. A 2019 research found that any eight-character password, no matter how complex, could be cracked in just 2.5 hours.