What is a Brute Force Attack

A brute force attack is one of the oldest hacking techniques still in circulation today. The idea behind it is to try every single combination of possible entries until the correct one is found. Brute force attacks fall under the category of “cryptanalytic attacks,” which just means that it seeks to break a cryptographic hash. The other term commonly associated with a brute force attack is “exhaustive search” because, as the name implies, it is testing all permutations of a set of data until the correct one is found.

Typically, brute force attacks are associated with password discovery. Brute forcing can also reveal hidden data in applications and web pages. For the sake of clarity, this look into brute forcing will focus more on password discovery as most security incidents involve this version of the attack. At least five percent of all cybersecurity attacks are a result of brute-forcing.

Brute Force Attack Tools

Most brute force attacks take place with the assistance of various software. The most popular are as follows:


This tool is incredibly popular for cracking WiFi passwords, both for cybercriminals and penetration testers (a case that is true for all of these tools). It comes preloaded with tools intended to brute force Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), and WiFi Protected Access 2 Pre-Shared Key (WPA2-PSK) passkeys.

John the Ripper:

A software that is able to identify the type of hash used to encrypt passwords and subsequently crack them. Encrypted password storage is usually the target when employing this particular program. It can combine alphanumeric data or use a set list of passwords to test from.

Rainbow Crack:

Utilizes rainbow tables (more on this later) to perform the brute force. Ultimately, it is less complex than some of these programs as it relies on the very old-school method of trying passwords instead of attacking the cryptographic hash.

Cain and Abel:

In addition to performing a variety of brute force methods, Cain and Abel can also scan networks. The data it can uncover includes routing protocols, VoIP conversations (namely recording them), password box locations, cached passwords, and much more. It is a powerful tool, and in the right hands, can do serious damage.


Made specifically for attacking the Windows OS, L0phtCrack can perform run-of-the-mill dictionary and cryptanalysis attacks, but it is most well-known for having the ability to extract hashes from 64 bit Windows systems.


This is specifically meant for attacking network authentications. It attacks numerous network protocols via brute forcing, including RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Types of Brute Force Attacks

Dictionary attack:

The most classic brute forcing method is this one. An attacker goes through a set database of all possible passwords until they find the right one. This database can literally be a dictionary or something more streamlined like a rainbow table. Rainbow tables are repositories of possible passwords that have been collected for hackers to use. Unsalted hashes, i.e. the most insecure method of storing passwords, are at the most risk for being cracked during a dictionary attack. The speed with which this attack can be performed, as it is with all brute force attacks, depends on the power of the computer used.

Credential recycling:

This method uses credentials (such as user identification names and passwords) that were found in previous brute force attacks. A more complex version of this attack is called “pass the hash.” In this scenario, credentials that have not already been brute-forced are plugged into the login box.

Reverse brute-forcing:

This takes a well-known password, such as “password,” and tries to login by brute-forcing the user id. It is surprisingly effective as simplistic passwords like “password,” “123456,” and “abcdefg” are still used today, much to the dismay of InfoSec professionals.

How to Prevent Brute Force Attacks

The most basic method to mitigate brute force attempts is to lock out users after multiple login attempts. The disadvantage to this strategy is that a nefarious user can lock out various accounts and create a denial-of-service in an organization via exploiting this.

An alternative strategy that is a somewhat upgraded form of lockouts is called “progressive delays.” This also locks out users after failed attempts; however, there is an increased time penalty with each subsequent failure. Brute forcing programs will be further and further delayed by this tactic.

One other popular method of preventing brute-forcing is CAPTCHA, a long acronym for “completely automated public Turing test to tell computers and humans apart.” This will detect suspicious activity and force the user to complete a set of tests, usually visual identification of objects. The problem with CAPTCHA is that regular users get roped into this frequently. Tor users and VPN users as well are flagged as “suspicious” due to the network traffic the server picks up from them. As a result, CAPTCHA discriminates against users who need to hide their identity for safety reasons.

The final, and perhaps most obvious, way to prevent brute-forcing is to require strong alphanumeric passwords. In addition to this, salting the hash encryption that stores the passwords will strengthen the defense even further. Salted hashes, along with strong and hard-to-guess passwords, force brute-forcing programs to work harder to decrypt a single character. It scrambles the data in such a way that the actual login may have already changed (companies should change passwords frequently) by the time the password is found.

Strengths and Weaknesses of Brute Force Attacks

The strengths and weaknesses of brute-forcing are often dependent on the target being attacked. In some cases, brute forcing is a surefire way to gain access to a network. This is usually when poor security practices are in place, both on the administrative and user ends. On the other hand, an entity that utilizes a multi-faceted cybersecurity strategy will be more prepared. Brute forcing will only alert intrusion detection systems and lock the attacker out from the outer layers of the network.

Brute forcing strength is also dependent on the processing power and tools at the disposal of the attacker. A weak machine with poorly prepared software will be inefficient at cracking a password. Alternatively, a supercomputer with well-organized attack strategies can be incredibly effective when breaking into a user account.

Finally, time is often the biggest hurdle in the brute-forcing strategy. How long an attacker has before they cannot go after their target will determine a great deal. Brute forcing, even when done by the most equipped individuals, can be very time-consuming. The longer the attack goes on, the more the hackers risk being discovered and having their operation blown apart.

All of these factors combined will determine whether or not a hacker will benefit from brute-forcing their way into a network.

FAQs(Frequently Asked Questions)


Any attempt to access a system, device, or network without prior authorization is illegal. The only way this can be legally circumnavigated is with express wrote permission from the owner of the target. This is usually done during a penetration test. A penetration test is when a company or other entity hires an offensive security professional (also known as a pentester or white-hat hacker).

The goal of the pentester is to test the security of their client by any means explicitly allowed. They are given strict parameters of what to attack and what to ignore during the pentest.

So, unless you are a pentester and your client allows for brute forcing, it is 100 percent illegal. Prison time for illegally accessing a network is determined by local laws, but it is never something to strive for.
There is no set timetable for how long a brute force attack takes. It is all dependent on a series of factors. How powerful is the computer doing the brute forcing? What software is being employed? What tactics are the attackers using? Is the target well-defended or are their passwords simplistic and unsalted?

Taking all of this into account, the answer is incredibly varied. It could take a minute if you have access to military-grade hardware and have a weak target. It could take months using your personal desktop that has no special processing capabilities. It is simply not possible to pin down one uniform answer.