What is a Brute Force Attack

A brute force attack is one of the oldest hacking techniques still in circulation today. The idea behind it is to try every single combination of possible entries until the correct one is found. Brute force attacks fall under the category of “cryptanalytic attacks,” which just means that it seeks to break a cryptographic hash. The other term commonly associated with a brute force attack is “exhaustive search” because, as the name implies, it is testing all permutations of a set of data until the correct one is found.

What is a Brute Force Attack

Typically, brute force attacks are associated with password discovery. Brute forcing can also reveal hidden data in applications and web pages. For the sake of clarity, this look into brute forcing will focus more on password discovery as most security incidents involve this version of the attack. At least five percent of all cybersecurity attacks are a result of brute-forcing.

Brute Force Attack Tools

As mentioned earlier, cybercriminals are becoming smarter, and so are their methods. You must be aware of the threats you face online if you are to avoid them. Some of the most common ones you’re likely to be vulnerable to include:


Malware is malicious software that’s been designed to access and collect your personal information behind your back. These can include viruses, spyware, worms, trojans, ransomware, etc.


This is where a hacker might try to gain access to your data by posing to be a legitimate organization. They operate via fake SMS alerts, emails, phone calls, and even websites.


The popularity of social media means that anyone can talk to anyone. Some individuals use this as a means to harass, bully, and stalk others online.

Online Predation:

An individual or a group can use social media to lure impressionable young adults or minors into extorting money or molesting them sexually.


This is where an individual or a group may obtain sexually sensitive photos or videos and then use them as leverage to extort money or sexual favors from the victim.

Identity Theft:

This is by far one of the most severe threats all users face online. A cybercriminal may gain access to your personal information as well as banking details. They can then use it to impersonate you online and commit frauds and crimes under your name.

Wi-Fi Eavesdropping:

Cybercriminals may “break-in” to your network and listen in all your incoming and outgoing traffic. This can then be used to steal all data transmitted on that compromised network.


It starts as a barrage of emails and unwanted messages sent to you. However, this can often lead to phishing, malware, cyberbullying, and other forms of threats if you’re not careful.


This is the most prominent form of malware as it encrypts all files on your computer and then extorts a user into paying exuberant amounts to decrypt them.

Types of Brute Force Attacks

Dictionary attack:

The most classic brute forcing method is this one. An attacker goes through a set database of all possible passwords until they find the right one. This database can be a dictionary or something more streamlined like a rainbow table. Rainbow tables are repositories of possible passwords that have been collected for hackers to use. Unsalted hashes, i.e., the most insecure method of storing passwords, are at the most risk for being cracked during a dictionary attack. The speed with which this attack can be performed, as it is with all brute force attacks, depends on the power of the computer used.

Credential recycling:

This method uses credentials (such as user identification names and passwords) that were found in previous brute force attacks. A more complex version of this attack is called “pass the hash.” In this scenario, credentials that have not already been brute-forced are plugged into the login box.

Reverse brute-forcing:

This takes a well-known password, such as “password,” and tries to login by brute-forcing the user id. It is surprisingly effective as simplistic passwords like “password,” “123456,” and “abcdefg” are still used today, much to the dismay of InfoSec professionals.

How to Prevent Brute Force Attacks

The most basic method to mitigate brute force attempts is to lock out users after multiple login attempts. The disadvantage to this strategy is that a nefarious user can lock out various accounts and create a denial-of-service in an organization via exploiting this.

An alternative strategy that is a somewhat upgraded form of lockouts is called “progressive delays.” This also locks out users after failed attempts; however, there is an increased time penalty with each subsequent failure. Brute forcing programs will be further and further delayed by this tactic.

One other popular method of preventing brute-forcing is CAPTCHA, a long acronym for “completely automated public Turing test to tell computers and humans apart.” This will detect suspicious activity and force the user to complete a set of tests, usually visual identification of objects. The problem with CAPTCHA is that regular users get roped into this frequently. Tor users and VPN users as well are flagged as “suspicious” due to the network traffic the server picks up from them. As a result, CAPTCHA discriminates against users who need to hide their identity for safety reasons.

The final, and perhaps most obvious, way to prevent brute-forcing is to require strong alphanumeric passwords. In addition to this, salting the hash encryption that stores the passwords will strengthen the defense even further. Salted hashes, along with strong and hard-to-guess passwords, force brute-forcing programs to work harder to decrypt a single character. It scrambles the data in such a way that the actual login may have already changed (companies should change passwords frequently) by the time the password is found.

How to Prevent Brute Force Attacks

Strengths and Weaknesses of Brute Force Attacks

The strengths and weaknesses of brute-forcing are often dependent on the target being attacked. In some cases, brute forcing is a surefire way to gain access to a network. This is usually when poor security practices are in place, both on the administrative and user ends. On the other hand, an entity that utilizes a multi-faceted cybersecurity strategy will be more prepared. Brute forcing will only alert intrusion detection systems and lock the attacker out from the outer layers of the network.

Brute forcing strength is also dependent on the processing power and tools at the disposal of the attacker. A weak machine with poorly prepared software will be inefficient at cracking a password. Alternatively, a supercomputer with well-organized attack strategies can be incredibly effective when breaking into a user account.

Finally, time is often the biggest hurdle in the brute-forcing strategy. How long an attacker has before they cannot go after their target will determine a great deal. Brute forcing, even when done by the most equipped individuals, can be very time-consuming. The longer the attack goes on, the more the hackers risk being discovered and having their operation blown apart.

All of these factors combined will determine whether or not a hacker will benefit from brute-forcing their way into a network.

Is brute forcing illegal?


Any attempt to access a system, device, or network without prior authorization is illegal. The only way this can be legally circumnavigated is with express wrote permission from the owner of the target. This is usually done during a penetration test. A penetration test is when a company or other entity hires an offensive security professional (also known as a pentester or white-hat hacker).

The goal of the pentester is to test the security of their client by any means explicitly allowed. They are given strict parameters of what to attack and what to ignore during the pentest.

So, unless you are a pentester and your client allows for brute forcing, it is 100 percent illegal. Prison time for illegally accessing a network is determined by local laws, but it is never something to strive for.

How long do brute force attacks take?

There is no set timetable for how long a brute force attack takes. It is all dependent on a series of factors. How powerful is the computer doing the brute forcing? What software is being employed? What tactics are the attackers using? Is the target well-defended or are their passwords simplistic and unsalted?

Taking all of this into account, the answer is incredibly varied. It could take a minute if you have access to military-grade hardware and have a weak target. It could take months using your personal desktop that has no special processing capabilities. It is simply not possible to pin down one uniform answer.